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[57] ABSTRACT 

The invention allows for transporting, in different degrees of 
security strength, a symmetric key encrypted using an asym- 
metric encryption technique, and along^jitluthistransport- 
ing ciphertext derived from plffiritelcrenc^pteOTTOe^thi^ 
symmetric key. The encryptor encrypts the plaintext using a 
symmetric whose strength is commensurate with the trust 
level of the environment in which the encryptor is located. 
The encryptor encrypts this symmetric key for one or more 
intended recipients using an asymmetric technique commen- 
surate with a high-trust environment. In the case of the 
encryptor residing in the low-trust environment, the encryp- 
tor additionally encrypts this symmetric key using an asym- 
metric encryption public key of the originator itself (or 
alternatively, that of a third party). Decryption equipment in 
all environments uses the decryption process corresponding 
to an algorithm identifier included by the originator. In all 
cases, the asymmetric encryption/decryption process used 
for each specific recipient is of a strength commensurate 
with the trust level of that recipient* s own environment. 

21 Claims, 4 Drawing Sheets 
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KEY MANAGEMENT SYSTEM FOR MIXED- 4,405,829, also play a major role in commercial crypto- 

TRUST ENVIRONMENTS graphic solutions in the field of information security. The 

basic idea is as follows. An encryption algorithm, for 
FIELD OF INVENTION example, is parameterized by a pair of related numbers, 

The invention resides generally in the field of key man- 5 £ n0WD f a pdvate ^ and a P ubIic , Pubhc key, 

. r . f «• . km -r ii known to everyone, allows anyone to encrypt data for a 

agement for information secunty systems. More specifically, . fic ^ the > ^ ^ 

the invention relates to key management in communications the inteflded red . albws J { ^ ind [ vidual to de( / { 

networks which span environments of varying levels of the data Another technique, referred to as DH 

trust * 10 key exchange after Diffie and Hellman, and described by 

BACKGROUND OF INVENTION Hellman, Diffie and Merkle in U.S. Pat. No. 4,200,770, 

allows two parties to establish a shared secret key using only 

Encryption systems consist of an encryption process (or publicly known parameters. DH can also be used for key 

algorithm) and a decryption process. The input to the transfer to provide functionality equivalent to RSA key 

encryption process is a cryptographic key and data, which is transfer; this is commonly called EIGamal encryption (see T. 

referred to as plaintext data. The input to the decryption EIGamal, "A public key cryptosystem and a signature 

process is a cryptographic key and data, which is referred to scheme based on discrete logarithms", IEEE Transactions on 

as ciphertext data. The encryption process converts plaintext Information Theory volume 31, 1985, pages 469-472). 

into ciphertext, while the decryption process does the con- Variations of EIGamal encryption have also been proposed 

verse. One characteristic of the key in an encryption system and implemented using elliptic curve cryptography, 

is its length, here denoted as k bits (a bit is a binary digit, In prac tice, asymmetric techniques are often used for key 

representing a 0 or a 1). management applications, and in particular, for the transfer 

In a symmetric encryption system, data to be protected, of a symmetric key from one party to one or more other 

called plaintext, is encrypted in one environment to produce parties. Often a different symmetric key is used for each 

ciphertext. The ciphertext is decrypted in a second environ- 25 transmission from a party A to a party B; in this case, the 

ment to recover the original plaintext. A number, called a symmetric key is referred to as a session key. The session 

key (or more specifically, a symmetric key) is shared key is then typically used in a symmetric algorithm, e.g. an 

between the encrypting and the decrypting process. The key encryption algorithm such as DES or a CAST algorithm, 

must be secret, but the ciphertext encrypted under this key This is done because symmetric encryption algorithms are 

can be transmitted over an otherwise unprotected commu- 3Q often faster for bulk data encryption than asymmetric 

nications medium which is subject to eavesdropping by an techniques, while the latter allow for more convenient 

adversary. The adversary is unable to recover the plaintext solutions to the key distribution problem because only the 

due to lack of knowledge of the key. In well-designed authenticity of a public key need be assured, and this is 

symmetric encryption systems, all k bits of a key are easier than distributing keys whose secrecy must be guar- 

necessary for the encryption and decryption algorithms to 35 anteed. Such systems involving both symmetric and asym- 

function properly. Examples of symmetric encryption algo- metric techniques are called hybrid systems, 

rithms are the Data Encryption Standard (DES), originally A common example of a hybrid technique is to encrypt a 

detailed by Ehrsam et al. in U.S. Pat. No, 3,962,539; block data file with a symmetric key to produce ciphertext, and to 

ciphers constructed using the CAST design technique of f ormat th is ciphertext as a data file with a header. The header 

Adams, details of which are given in U.S. Pat. No. 5,511,123 4Q contains one or more copies of the symmetric key, encrypted 

Apr. 26, 1996; and well known proprietary block ciphers us j ng the pub ij c key of one or more intended recipients. The 

such as the RC2 cipher of RSA Data Security Inc.. key asymmetrically encrypted for each recipient is preceded 

Cryptographic techniques other than encryption also by an identifier which allows the intended recipient to 

make use of symmetric keys. One example is message determine which of the possibly multiple fields in the header 

authentication code (MAC) algorithms, which involve 45 is the one appropriate for it to decrypt in order to recover the 

appending to a transmitted message a tag value (or MAC), symmetric key. This technique is referred to as digital 

which is computed using an algorithm which takes as input enveloping. 

the message data and a secret key. The recipient, who shares when cryptographic techniques are used in communica- 
thc secret key, upon receiving the data and tag recomputes tions systems which span different (e.g., geographic) 
its own tag value from the shared key and the received data, 50 regions, in practice it may occur that the different regions 
and compares this tag value to that received. If the tag values can be considered to be trusted to different extents. For 
agree, the recipient has some assurance that the data origi- example, region X may be considered a high-trust environ- 
nated from the party with which it shares the key. MACs mem because it lies entirely within a country having no 
thus provide data origin authentication. concerns about unlawful use of encryption, e.g. because the 
Symmetric encryption algorithms may be attacked by an 55 laws of that country allow law-enforcement access to 
adversary who, given one known plaintext-ciphertext pair of encryption keys under appropriate circumstances (e.g. wire- 
data, tries all 2 k possible k-bit keys to see which one maps taps authorized by one or more judges or other trusted 
the known plaintext to the known ciphertext. This is referred agents). In contrast, a region Y may be considered a low- 
to as an exhaustive key search. In a well-designed symmetric trust environment because there is some risk that within it, 
encryption system, an adversary can do no better than mount eo encryption may be used for purposes which subvert law- 
such an exhaustive attack. In this case, the bit-length k of the enforcement or the protection of national security, or 
key gives an indication of the strength of the algorithm, the because appropriate legislative or administrative safeguards 
work required for an attack is 2* operations, and the prob- are not in place. 

ability of any particular key being guessed, assuming that all The usual approach (hereafter called the lowest-level 
keys are equi-probablc, is ( x /if. 65 approach) to using cryptographic techniques in such mixed- 
Asymmetric cryptographic techniques, such as the RSA trust environments is to have both a strong and a weak 
scheme of Rivest, Shamir and Adleman of U.S. Pat. No. cryptographic technique. Products installed in the low-trust 
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environment are restricted to containing only the weak tographic keys between two or more parties over a commu- 

algorithm, while those in the high-trust environment contain nication network which spans both high-trust and low- trust 

both the strong and weak techniques. By this approach, environments. 

communications in which both end-points reside in the i t ^ another objective of the present invention to ensure 

strong environment may provide security using the strong 5 a sccurc data transfer which originates in the high-trust 

techniques, whereas for reasons of interoperability, commu- environment and for which the intended recipients are either 

nications in which one or both end-points reside in the in tne high-trust environment or the low-trust environment. 

low-trust environment can be protected only by the weak It * n „ ntU ~- *u ♦ • .u w u . 

. , . ™. „ . * It is another object that entities in the high-trust environ- 

techniques. This allows authorities to intercept commumca- j * * • i »■ L * i_ • i_. 

. , . , t . . * j j j? * it ment need not carry out any special operations which might 

tions involving the low-trust environment and defeat the 10 t . • i > a * a- «■ ■ u • * • 

. . c , . . otherwise be required to distinguish incoming commumca- 

cryptograpmc protecUon it necessary tor national security or tions orifiinatine other hi „ h 

-trust environment from those 

law enforcement reasons. . - u ■■«!•. ui * 

which onginated in the low-trust environment. 

A notable exception to the prior-art lowest-level approach 

is the mixed-trust encryption system of Ford, specified in the SUMMARY OF INVENTION 

co-pending U.S. patent application Ser. No. 08/535,445 filed 35 

on Sep. 28, 1995 now allowed and assigned to the assignee Briefly stated according to one aspect the invention is 

of the present invention. That invention provides a solution directed to a method of managing cryptographic keys 

to the mixed-trust use of a symmetric encryption algorithm, between a first and second parties in communication envi- 

while the focus of the present invention is key management ronments of different degrees of trust. The method com- 

in a mixed-trust environment, and including mixed-trust key 20 prises steps of the first party encrypting a cryptographic key 

management using asymmetric techniques. The present of a cryptographic strength commensurate with the degree of 

invention provides a mixed-trust key management solution trust of lhe environment in which the first party is located, 

which is complementary to the invention of application Ser. b V usin S a low trust encryption public key of the first party 

No 08/535 445 t0 generate a first party encrypted cryptographic key. The 

The lowest-level approach has at least two drawbacks, 25 ^^^^y^r^i^crm^^y^A 

which apply for both the case that the cryptographic tech- hlgh trusl encr ypt">n pubhc key of the second party to 

nique in question is a symmetric encryption algorithm used generate a ""f"* ^ '""W? cryptographic key, and 

for bulk encryption as per application Ser. No. 08/535,445 concatenates the first and second encrypted cryptographic 

and when an asymmetric cryptographic technique is used for keys " 7116 m , elhod l n f el ,ncludes a s J e P of "\ e P* n ?- 

key establishment as per the present invention. The first 30 u P on ? ce * tl0a f the data, decrypting the 

drawback is that the lowest-level approach unnecessarily seco ?? ""H** 1 cryptographic key to recover the crypto- 

2 Tannic Kev 

degrades the security of the system when communications & h J ' 

originating in the high-trust environment are destined for According to another aspect, the invention is directed to 
recipients in both the low-trust environment and the high- a method of managing cryptographic keys between a first 
trust environment (or a low-trust environment alone), 35 and second parties in communication environments of dif- 
because in this case the approach makes the communications ferent degrees of trust. The method comprises steps of the 
susceptible to an adversary capable of defeating the weaker first P"^ selecting a cryptographic key of a cryptographic 
technique. The present invention overcomes this deficiency, strength commensurate with the degree of trust of the 
while maintaining the objective of guarding against entities environment in which the first party is located and perform- 
in the low-trust environment from using high-trust crypto- 40 ing a levelling function involving combining, using a revers- 
graphic key management techniques for purposes which ible function, the cryptographic key with additional data 
may subvert law-enforcement or the protection of national derived in part or in whole from the data field described 
security. below, to generate a levelled key. The method further 
-Hie second drawback of the lowest-level approach is that AK Eludes steps °* the first party encrypting the levelled key 
it unnecessarily increases the complexity of products in the 45 " SmS a hl & h trust ^V^n P ublic key of the second party 
high-trust environment, by requiring such products which l ° f* n ™* a «cond Party encrypted levelled key. Hie 
originate communications from knowing, at the time a ™ thod ' ncludes a further stt * 0 fil * 1 P art * cr u eatin S a 
communication is originated, whether the intended recipient dala fi f ld C ° DS1S in § in P art of . tne «Wtographic key, 
(s) are in the high-trust environment or the low-trust envi- m under a low trust encryption public key of the first 
ronment. In some cases, this constraint may even preclude 50 P art * T.^T^TV ^ *i , P ^ 
deployment of a product, if the system architecture is unable encry P ted levclled ke ^ ^ melhod ^ includes ste P* ° f the 
to make such information available to the originator. The f° 0nd . party / U P on ™ e P tlon of thc f^Tl > data ' 
present invention removes this deficiency, such that an decrv P tin g tbe «<=oiid party encrypted levelled key to 
originating entity in the high-trust environment performs the „ ^ eC0Vcr the . leve [ led ke V> and performing an unlevelhng 
same key management process regardless of the trust-level 55 USmg th ° ^ ^t™ 6 lhC rCC ° Vered 
of the environment of the intended recipients). Likewise, levelIed key t0 recover the cryptographic key. 
originating entities in low-trust environments carry out the BRI£F DESCRIPTI0N 0F DRAWINGS 
same operation regardless of the environment of their 

intended recipient(s). Receiving entities in both high-trust fiQ FIGS. 1, 2, 3 and 4 are illustrative examples of algorith- 

and low-trust environments are able to carry out the appro- mic processes of an encryptor and a decryptor supporting the 

priate reception operations based on identifying information method according to embodiments of the invention, 
included by the originator in the transmitted message. 

DETAILED DESCRIFHON OF PREFERRED 

OBJECTS OF INVENTION EMBODIMENTS OF INVENTION 

65 

It is therefore an object of the present invention to provide According to one aspect, the invention resides in a mecha- 

a method and a system for establishing shared secret cryp- nism and supporting system whose design allows for 
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transporting, in different degrees of security strength, a file key). The RSA public key of each intended recipient is 

symmetric key encrypted using an asymmetric encryption obtained by the originator using some means which guar- 

tecbnique, and optionally along with this transporting antees the authenticity of the key. Each public key is then 

ciphertext derived from plaintext encrypted under this sym- use d to encrypt a separate copy of the file key. The copies of 

metric key. The method includes the encryptor encrypting s the file key arc then included in a file header, followed by 

the plaintext using a symmetric encryption process whose one copy 0 f ( h e encrypted data itself, 

strength is commensurate with the trust level of the envi- More ;fical , one ferred embodiment of the 

ronment in which the encryptor a .located using a symmet- invemion mvo , ves (he foUowi ^ oneD|s . ^ low . tnlst 

nc key of a corresponding strength; using, for transmissions moduk ^ constrained [0 use 512 . bit RSA encry P tion 

originating in both the low-trust and the high-trust M f or key transfer, while the high-trust system makes use of 

environment, an asymmetnc technique commensurate with 1024 . bh RSA fof k tMsfcr _ Followi the invention 

a high-trust environment to encrypt this symmetric key for disdosed iaV S application Ser. No. 08/535,445, the 

one or more intended recipients; and in the case of the m js desj d tQ d da(a fi , es usj 

encryptor residmg .n the low-trust envtronment, addtt.onally g0 . bit k and , 0 , da(a files ^ 40 . bj( k ^ 

encrypt.ng this symmetric key using an asymmetnc tech- 15 b ca]led an (<80/40 £ fl solu(ion „ D * ite , he > 12 . bi , 

nique commensurate in strength w,.h the low-trust environ- constraim QD , he |ow . trus , environment> a {J emities in the 

mcnt using an asymmetnc encryption public key of the communications system have 102 4-bit RSA public encryp- 

onginator itself (or alternatively, that of a third party) ^ k which afe ma(Je availab , e tQ olhef ^ 

referred to as key X below. The encryption under key X thfou ^ a bHc dir Entities ^ reside fa the 

effectively reduces the overal secunty to that of the low- 0Ci , ~ ° m S _ . , . C1 - , . neA 

/ . , lu low-trust environment have, in addition, a 512-bit RSA 

trust environment m, and only in, the special case where the tioQ blic k wnich need no , be ^ b other 

originating equipment resides m the low trust environment. entities> an<J therefore need nQt in me iiKC { ia 

Decryption equipment in all environments uses the decryp- ^ , hese 5u _ bil fc optionaUv ^ generated on a 

tior. process corresponding to an algorithm identifier ^ basis for each communication . 

included by the originator. In all cases, the asymmetric 2 s , c . • 4 . t, , , ■ , . , 

encryption/decryption process used for each specific recipi- ' f A eDtlUe u s and B , are j* 0 * "> a environment, 

ent'is of a strength corameasurate with the trust level of that and £ wishes to send a data file to B, A (i.e. the crypto- 

recipient's own environment Furthermore, in the case that S ra P mc module of lhe equipment which user A is using) 

the originator is in a low-trust environment, the data recov- ^~ ica ^ encrypts the data file using a new 80-bit 

ered by asymmetric decryption by the recipient must be 30 CAST key K and then RSA-encrypts one copy of K under 

combined with a data value which is some function of the lts own 1024 ' blt RS r A ke ^ and a second of K under the 

ciphertext encrypted under key X in order to recover the 1024-bit RSAkey of B. The two encrypted keys are included 

symmetric key which allows the recipient to recover the "J th ^ eader of a file which also mcludes the encrypted data 

original plaintext. This feature guarantees that the presence file * ^ ^P 051 * file 15 then sent to B. 

of the data field associated with key X cannot be removed in 35 In the case that B resides in a low-trust environment, the 

order to, contrary to the design intent, "upgrade" the trust- cryptomodule of entity A generates the same composite file, 

level of the low-trust equipment, because doing so prevents anc * sends this to B. 

recipient equipment from recovery of the intended data. Referring now to FIGS. 3 and 4, in the case that A resides 

According to another aspect, the invention is directed to in a low-trust environment, and is communicating with an 

an apparatus for complementary cryptographic operations, 40 entity B which resides in either a low-trust environment or 

such as encryption and decryption, in different degrees of a high-trust environment, A's equipment generates the fol- 

securily strength. The apparatus comprises either one or both lowing data instead. A 40-bit CAST key K' is used to 

of a first symmetric encryption module for use in encrypting symmetrically encrypt the data file, some function of K' 

data in high-trust environments which uses a strong cryp- (called the levelled key) is RSA-encrypted under each of the 

tographic process, and a second encryption module for use 45 1024-bit keys as above, and two additional data fields are 

in encrypting data in low-trust environments which uses a included in the file header. Regarding these additional fields, 

less strong symmetric cryptographic process; together with the first is a 512-bit RSA public key of entity A itself, and 

one or both of a first asymmetric encryption/decryption the second is the RSA-encryption of K' under this 512-bit 

module for use in key transfer providing a security strength key. Let X denote the concatenation of these two data fields, 

commensurate with a high-trust level environment, and a 50 and let h(X) denote the "hash" of the data string X, e.g. using 

second asymmetric encryption/decryption module for use in a one-way hash function such as the Secure Hash Algorithm 

key transfer providing a security strength commensurate SHA-1 as specified in U.S. Federal Information Processing 

with a low-trust environment; and finally, also includes a Standards Publication 180-1 (FIPS PUB 180-1). 

module providing a mechanism capable of determining the Alternatively, another well known MD5 hash function or 

source of received cryptographically protected information, 55 RIPEMD-160 can be used. 

allowing a decision to be made to allow proper recovery of The function of K' (the levelled key) which is RSA- 

an asymmetrically-encrypted symmetric key to allow such encrypted rather than the 80-bit key is (K 1 XOR h40(X)), 

key to be used to decrypt symmetrically-encrypted plaintext where XOR is the bitwise exclusive-OR operation, and 

data. h40(X) denotes 40 bits, say the leftmost 40 bits, of the value 

Reference is now made to FIGS. 1 and 2. In one 60 h(X). The use of the levelled key, rather the K' alone, is one 

embodiment, the invention involves use of the RSA public- means to ensure that the fields which compose X are not 

key encryption technique for key transfer from one party to simply removed by a party which wishes to "upgrade" the 

one or more parties over an otherwise unsecured commu- overall security of the communication to a 1024-bit RSA 

nications channel, and using the digital enveloping tech- encryption (as is the case earlier where both A and B resided 

nique described above. The plaintext data file is encrypted 65 in the high-trust environment). Thus the following fields are 

once, e.g. using the DES or a CAST symmetric algorithm, transmitted from A to B in the case that A is in a low-trust 

and a new random symmetric key (referred to below as the environment, and B is either in a low-trust or high-trust 
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environment: X, RSA1024_A(K' XOR h40(X)), 
RSA1024_B(K' XOR h40(X)), CAST40 (data file). Here K' 
is a 40-bit symmetric CAST key, CAST40(-) denotes sym- 
metric encryption of the bracketed quantity using a 40-bit 
symmetric CAST algorithm, and X is the concatenation of: 
a 512-bit RSA public key of A, and K' RSA-encrypted under 
this key. 

While the described embodiment involves the use of 
512-bit and 1024-bit RSA, 40-bit and 80-bit CAST, the 
particular hash function SHA-1, and a levelled key created 
by the XOR of two quantities, the invention can clearly be 
modified for different asymmetric keys lengths and different 
public-key encryption techniques, different symmetric key 
lengths and different symmetric key algorithms, different 
hash functions, and different key-levelling functions. These 15 
can all be varied to match different trust level requirements 
of different environments and systems, and the algorithms 
preferred for use in different systems. 

In the case that entity A in the low trust environment is 
communicating with both entity B (which uses 1024-bit 20 
RSA keys) and some other entity C (which uses 512-bit RSA 
keys), no special access modifications are made for entity C. 
The header field for entity C would consist of the 40-bit key 
K' encrypted with C's 512-bit RSA key. Because entity C 
uses an RSA key size consistent with a low trust 
environment, no levelling operations are required. In this 
way, interoperability is maintained with entities which use 
low trust RSA key sizes and do not support levelling 
functionality. 

As seen in the above discussion, the present invention 
provides a method and a system for establishing shared 
secret keys (e.g. to allow encryption and/or other crypto- 
graphic protection including authentication), between two or 
more parties over a communication network which spans 
both high-trust and low-trust environments. 

The present invention also ensures that cryptographic 
keys, used for cryptographic protection of data in high-trust 
environments, are not unnecessarily exposed (i.e. down- 
graded to a reduced -trust level) to eavesdroppers or adver- 
saries when such keys and the data protected thereunder are 
transmitted in a key establishment communication and data 
transfer which originates in the high-trust environment and 
for which the intended recipients are either in the high-trust 
environment or the low-trust environment. 

The invention provides an apparatus and system design 
such that equipment in the high-trust environment which is 
the source of the cryptographically protected information or 
key transfer, need not know at the time of transfer whether 
the protected information or key is destined for a high-trust 
or a low-trust environment. 

According to the invention, entities in the high-trust 
environment, upon receiving cryptographically protected 
communications from other entities in the high-trust 
environment, need not carry out any special operations 
which might otherwise be required to distinguish such 
incoming communications from those which had originated 
in the low-trust environment; and that for incoming com- 
munications originating in the low-trust environment, the 
high-trust recipient carries out operations which enforce the 
requirement that the cryptographic protection used by the 
low-tmst originator was indeed that (and no higher than that) 
which was designed into the system architecture. 

The invention also ensures that persons using equipment 
incorporating the method and system of the present inven- 
tion in the low-trust environment are unable to subvert the 
intended design feature, ensuring that entities be unable to 
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originate messages with cryptographic protection at , the 
same level of security as that provided by the corresponding 
high-trust environment equipment, and which might there- 
fore subvert the design features supporting law-enforcement 
actions. 

What is claimed is: 

1. A method of managing cryptographic keys between 
first and second parties in communication environments of 
different degrees of trust comprising the steps of: 

the first party 

encrypting a cryptographic key by using a low trust 
encryption public key of the first party having a first 
key length, to generate a first party encrypted cryp- 
tographic key, 

encrypting the cryptographic key using a higher trust 
encryption public key of the second party having a 
second key length longer than the first key length to 
generate a second party encrypted cryptographic key, 
and 

concatenating the first party and second party encrypted 

cryptographic keys, and 
the second party, upon reception of the concatenated data, 
decrypting the second party encrypted cryptographic 

key to recover the cryptographic key. 

2. The method according to claim 1, wherein the crypto- 
graphic key is an encryption key, and comprising further 
steps of: 

the first party 

encrypting-plaintext$nto ciphertext using the crypto- 
graphic key, 

cqr^tejiariBg^the-c^ 
iSSon^pjuny^^ 
the second party 

djLCtyptinlphe_cipfielBxt into the plaintext using the 
thus recovered cryptographic key. 

3. The method according to claim 2 wherein the crypto- 
graphic key is a symmetric encryption key and the first and 
second parties use a symmetric encryption process for 
encrypting the plaintext or decrypting the ciphertext. 

4. The method according to claim 3 wherein the symmet- 
ric encryption process is a block cipher from the group of 
DES, CAST and RC2. 

5. The method according to claim 1 wherein the first and 
second parties use distinct asymmetric encryption processes 
to generate the first party and second party encrypted 
cryptographic keys, 

6. The method according to claim 5 wherein the asym- 
metric encryption processes are any of RSA encryption and 
ElGamal encryption. 

7. The method according to claim 1 wherein there are 
three or more parties in communication environments of 
different degrees of trust comprising steps of: 

<gfojr4hej : third^ 

encrypting the cryptographic key using an encryption 
public key of each of these parties to generate a second 
party, third party and additional encrypted crypto- 
graphic keys, and 

concatenating the_firs t,-second,-and| additional encrypted 
cryptographic-keys, 

the second and subsequent parties each, upon reception of 
the concatenated data, 
cidecry piinfi th e^ 

8. A method of managing cryptographic keys between 
first and second parlies in communication environments of 
different degrees of trust comprising the steps of: 
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the first party 

selecting a cryptographic key, 

creating a data field consisting in part of the crypto- 
graphic key, encrypted under a low trust encryption 
public key of the first party having a first key length, 

combining, using a reversible function, the crypto- 
graphic key with additional data derived in part or in 
whole from the data field to generate a levelled key, 

encrypting the levelled key using a high trust encryp- 
tion public key of the second party having a second 
key length longer than the first key length to generate 
a second party encrypted levelled key, 

con^a gnati n iipthe^d at a--.fi eid,_and__seco n d-pa rly^ 
encrypted~levelled~key, 
the second party, upon reception of the concatenated data, 

decrypting the second party encrypted levelled key to 
recover the levelled key, and 

recovering the cryptographic key using the received 
data field and the recovered levelled key. 

9. The method according to claim 8, wherein the crypto- 
graphic key is an encryption key, and comprising further 
steps of: 

the first party 

encrypting a plaintext into a ciphertext using the cryp- 
tographic key, concatenating the ciphertext to the 
data field and the second party encrypted levelled 
key, 

the second party, upon reception of the concatenated 
data, decrypting the ciphertext into the plaintext 
using the thus recovered cryptographic key, 

10. The method according to claim 9 wherein the cryp- 
tographic key is a symmetric encryption key and the first and 
second parties use a symmetric encryption process for 
encrypting the plaintext or decrypting the ciphertext. 

11. The method according to claim 10 wherein the sym- 
metric encryption process is a block cipher from the group 
of DES, CAST and RC2. 

12. The method according to claim 8 wherein the first 
party uses distinct asymmetric encryption processes to gen- 
erate the second party encrypted levelled key and the second 
party uses an asymmetric decryption process to decrypt the 
second party encrytped levelled key. 

13. The method according to claim 12 wherein the asym- 
metric encryption processes are any of RSA encryption, and 
ElGamal encryption. 

14. The method according to claim 8 wherein the step of 
combining using a reversible process to generate a levelled 
key comprises further steps of: 

encrypting the cryptographic key using the low trust 
encryption public key of the first party having the first 
key^ length, 

concateji ating-the-resu lting data Jp^aid low trust encryp- 
tion public key itself, 

h^Rijig -a-resultin ^dat a strin g using.axryptograpmc~rTash 
function, resulting in a KaslTvaluei 

combining a subset of the hash value, using an exclusive- 
OR operation, with said cryptographic key, to generate 
the levelled key. 

15. The method according to claim 14 where the hash 
function used is from the group of SHA-1 and MD5, hash 
functions. 

16. The method according to claim 8 wherein there are 
three or more parties in communication environments of 
different degrees of trust, comprising steps of: 

for third, and other remaining parties separately encrypt- 
ing the levelled key using an encryption public key of 
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each of these parties to generate a third party and 

additional encrypted levelled keys, and 
concatenating the second party, third party, and additional 

encrypted levelled keys, 
the second and subsequent parities each, upon reception 

of the concatenated data, 
decrypting the corresponding encrypted levelled key, and 

recovering the corresponding cryptographic key using 

the decrypted levelled key. 

17. The method according to claim 8 wherein the data 
field consists of a low trust encryption public key of the first 
party having a key length shorter than a key length of a high 
trust encryption public key, concatenated to the encrypted 
value of the cryptographic key under the low trust encryp- 
tion public key. 

18. The method according to claim 8 comprising further 
steps of the first party 

encrypting the levelled key by using a high trust encryp- 
tion public key of the first party having a key length 
larger than the low trust encryption public key to 
generate a first party encrypted levelled key, and insert- 
ing the first party encrypted levelled key into the 
concatenated data, 

19. An apparatus for complementary cryptographic 
operations, in different degrees of security strength compris- 
ing: 

first encryption means for encrypting a cryptographic key 
by using a low trust encryption public key of the first 
party having a first key length, to generate a first party 
encrypted cryptographic key, 

second encryption means for encrypting the crypto- 
graphic key using a higher trust encryption public key 
of the second party having a second key length longer 
than the first key length to generate a second party 
encrypted cryptographic key, and 

means, responsive to the first and second encryption 
means, for concatenating the first party and second 
parly encrypted cryptographic keys, and 

means, responsive to the concatenated data, for decrypt- 
ing the second party encrypted cryptographic key to 
recover the cryptographic key. 

20. A method of managing cryptographic keys between 
first and second parties in communication environments of 
different degrees of trust comprising the steps of: 

the first party 

selecting a cryptographic key, 

creating a data field consisting in part of the crypto- 
graphic key, encrypted under a low trust encryption 
public key of the first party having a first key length, 

combining, using a reversible function, the crypto- 
graphic key with additional data derived in part or in 
whole from the data field to generate a levelled key, 

encrypting the levelled key using a high trust encryp- 
tion public key of the second party having a second 
key length longer than the first key length to generate 
a second party encrypted levelled key, 

concatenating the data field, and second party 
encrypted levelled key, 
the second party, upon reception of the concatenated data, 

decrypting the second party encrypted levelled key to 
recover the levelled key, and 

recovering the cryptographic key using the received 
data field and the recovered levelled key. 
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21. An apparatus for complementary cryptographic opera- 
tions in different degrees of security strength comprising: 

first encryption means for encrypting a cryptographic key 
by using a low trust encryption public key of the first 
party having a first key length, to generate a first party 
encrypted cryptographic key, 

second encryption means for encrypting the crypto- 
graphic key using a higher trust encryption public key 
of the second party having a second key length longer 
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than the first key length to generate a second party 
encrypted cryptographic key, and 

means, responsive to the first and second encryption 
means, for concatenating the first party and second 
party encrypted cryptographic keys, and 

means, responsive to the concatenated data, for decrypt- 
ing the second party encrypted cryptographic key to 
recover the cryptographic key. 
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[57] ABSTRACT 

A method of secure data transmission commences at a 
sending or originating terminal by processing a sender 



challenge on an originating subscriber card with a secret 
originating subscriber coding key to obtain an originating 
subscriber response. The response is used at the originating 
terminal to encrypt the message to be securely transmitted. 
The thus-encrypted message is transmitted, together with the 
sender challenge in its original form, to a system server. The 
server retrieves the originating subscriber coding key from 
a repository to which it has access, and uses the key to 
generate a response that is identical to that produced by the 
originating subscriber. It then employs the so-obtained 
response to decrypt the originator's encrypted message, 
determines the intended recipient, and retrieves from the 
repository the coding key assigned to such recipient. The 
server then issues a new challenge and repeats the above 
processing and encryption steps using the recipient's sub- 
scriber's coding key, thereby re-encoding the message and 
sending the thus re-encrypted message and the unencrypted 
new challenge to the receiving station where the same 
process is employed on the recipient subscriber card to 
obtain, from the unencrypted new challenge and the recipi- 
ent subscriber code key stored on the recipient subscriber 
card, the receiving subscriber response to be used in decryp- 
tion of the received, server re-encrypted message. 

7 Claims, 2 Drawing Sheets 
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SECURE DATA TRANSMISSION METHOD 

FIELD OF THE INVENTION 

The present invention relates to the telecommunications 5 
field in general, and more particularly to the area of encryp- 
tion and decryption of electronically transmitted messages. 

BACKGROUND ART 

As electronic mail and other data transmission methods 10 
gain in popularity and become more and more widespread 
both as to the number of people availing themselves of such 
services and the number of messages being sent by way of 
these channels, there is a growing need for simple, secure 
and reliable encryption of the data being transmitted. This is 15 
especially so because a steadily increasing proportion of 
such data is of a proprietary or otherwise sensitive nature 
which, were such information to fall into the wrong hands, 
could be detrimental or, at the very least, embarrassing to the 
issuer of the transmitted information and/or its intended 20 
recipient. 

To satisfy this need for transmission security, there have 
been developed and are currently available a variety of 
devices and algorithms for encoding information to be 25 
transmitted and for subsequently decoding the encoded 
information after it has reached the intended recipient. Of 
course, it is important to encrypt the information in such a 
manner as to make it difficult, if not substantially impossible, 
to break the code or key used in the encryption. This, 3Q 
coupled with safeguarding of the key itself by all persons 
having access to that key, provides a high degree of assur- 
ance that anyone who may have received or intercepted the 
transmission without being authorized to learn of its con- 
tents will be unable to decipher the message contained in the 35 
transmission. 

Of course, it would be possible, and is in fact required 
when operating in accordance with the Digital Encryption 
Standard (DES) currently applicable to electronic mail 
(E-mail), for the issuer and the intended recipient to agree 40 
upon or notify one another of a particular encoding key to be 
used. Such key could then be employed for all encrypted 
communications sent by the respective issuer, or all those 
taking place between the respective parties, or such com- 
munications occurring within a certain time span, as on a 45 
particular day, or even to individual messages. This encod- 
ing key information exchange may take place either well in 
advance of the time for a particular communication or, 
especially when using a different key for each transmission, 
just prior to the intended transmission time. 50 

Each of these approaches, however, suffers from one or 
more serious disadvantages. For one thing, the wider the 
dissemination of the key, the more likely that its safety will 
be compromised. Similarly, the longer the key is in use — in 
terms of time alone or of the cumulative length of the 55 
transmissions sent— the more likely it is that it may be 
broken or discovered by an interloper. In addition, the 
greater the number of keys to be used — either for different 
recipients or for different time periods — the more difficult it 
is to assure that the proper key will be used for the particular 60 
transmission. Finally, the more often the parties need to 
obtain or forward the encoding keys, the more likely it is that 
the particular key will be intercepted during such informa- 
tion exchange, even if not only a different communication 
but also a different communications channel (such as a 65 
telephone) than that to be used for the coded data transmis- 
sion (i.e. a data link) were to be employed to carry the 



2 

information about the encoding key. 

These and other deficiencies have lead to the development 
of additional alternatives to secure data transmission. One 
currently employed alternative approach, commonly 
referred to as RSA public key encryption, involves the use 
of a total of four encryption keys — two for each party, one 
public and the other private. Each party knows (e.g. is able 
to retrieve from a safe storage location) its own public and 
private keys, and is able to obtain the public key of the 
respective other party since that key, as its name implies, is 
available to the "public", or at least to the system users or 
subscribers. In use, two such keys are actually employed at 
each of the issuing and receiving ends. More particularly, the 
initiator or originator of the transmission (i.e. the party 
desiring to send an encrypted message) first encodes the 
message using his or her own private code key, and then 
re-encodes such encoded message using the other party's 
(intended recipient's) public code key. The thus doubly- 
encoded message is then sent to the intended recipient and 
must be decoded at that end before the original message can 
be deciphered. To this end, a double decoding process akin 
to the double encoding process is performed at the recipient 
end, first using the recipient's private key and then decoding 
the result by utilizing the sender's public key. 

It will be appreciated that this approach is rather complex 
and cumbersome in that it requires double use of the 
respective coding (i.e. encoding or decoding, as the case 
may be) technique and/or equipment at each end, and cannot 
be performed (i.e. successfully commenced and concluded) 
unless each of the parties has the correct public key of the 
other party and uses it in conjunction with his or her own 
correct private key during the respective coding operation. 
The need for double coding and attendant entry of two 
different coding keys at each end of the transmission sig- 
nificantly increases the risk that machine or human error 
could result in the presentation of a garbled or otherwise 
indecipherable message to the intended recipient. 

OBJECTS OF THE INVENTION 

It is accordingly an object of the present invention to 
avoid the aforedescribed disadvantages of the prior art. 

More particularly, it is an object of the invention to 
provide a method of securely transferring data between 
respective issuers and intended recipients, which method 
does not possess the disadvantages of previously proposed 
or utilized methods of this type. 

Still another object of the present invention is to devise a 
method of the type here under consideration which avoids 
the need for prior knowledge at either of the transmission 
ends of any coding key being used at the respective other 
end. 

A concomitant object of the invention is to develop a 
method of the above type that is relatively simple to imple- 
ment and perform, and yet highly secure and reliable. 

SUMMARY OF THE INVENTION 

In keeping with these objects and others that will here- 
inafter become apparent, one feature of the present invention 
resides in a method for achieving secure data transmission 
between respective sending and receiving terminals of a 
telecommunication system. In accordance with one aspect of 
the present invention, this method comprises the steps of 
establishing a multiplicity of correlations each defining a 
relationship for pairing an arbitrary challenge data string in 
a unique and consistent manner with a different correspond- 
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ing response data string, and associating each of these 
multiple correlations with a corresponding one of the indi- 
vidual subscribers, including making each such correlation 
available to the corresponding individual subscriber and to 
the server device to enable the corresponding subscriber and 5 
the server device to generate one of the arbitrary challenge 
data string and the corresponding response data string from 
the other of the arbitrary challenge data string and the 
corresponding response data string using said each correla- 
tion. This method further includes apprising the server 10 
device of the identities of an originating subscriber and an 
intended receiving subscriber for a particular transmission. 
In accordance with the invention, a message to be conveyed 
in encrypted form in each particular transmission from the 
originating subscriber through the server device to the ^ 
intended receiving subscriber is cryptographically pro- 
cessed. This processing includes the steps of providing a first 
arbitrary challenge data string to define an originating sub- 
scriber pair formed of the first arbitrary challenge data string 
and a first response data string generated from the first 20 
arbitrary challenge data string utilizing the correlation asso- 
ciated with the originating subscriber; generating, at the 
originating subscriber, the first response data string of the 
originating subscriber pair utilizing the first arbitrary chal- 
lenge data string and the correlation associated with the 25 
originating subscriber; encrypting the message at the origi- 
nating subscriber using one of the data strings of the 
originating subscriber pair; posting the encrypted message 
and the other of the data strings of the originating subscriber 
pair to the telecommunications system at the originating 30 
subscriber; receiving the encrypted message and the other of 
the data strings of the originating subscriber pair at the 
server device; generating the one of the data strings of the 
originating subscriber pair at the server device utilizing the 
correlation associated with the originating subscriber, and 35 
decrypting the encrypted message at the server device using 
the said one of the data strings of the originating subscriber 
pair to recover the message. According to the inventive 
method, there is further provided a second arbitrary chal- 
lenge data string at the server device to define a receiving 40 
subscriber pair formed of the second arbitrary challenge data 
string and a second response data string generated from the 
second arbitrary challenge data string utilizing the correla- 
tion associated with the receiving subscriber. The processing 
further includes re-encrypting the recovered message at the 45 
server device using one of the data strings of the receiving 
subscriber pair, and posting the re-encrypted message and 
the other of the data strings of the receiving subscriber pair 
to the telecommunications system at the server device for 
delivery to the receiving subscriber. The re-encrypted mes- 50 
sage and the other of the data strings of the receiving 
subscriber pair are received at the receiving subscriber, the 
one of the data strings of the receiving subscriber pair is 
generated at the receiving subscriber utilizing the correlation . 
associated with the receiving subscriber, and the re-encoded 55 
message is decrypted at the receiving subscriber using the 
one of the data strings of the receiving subscriber pair to 
recover the message from the originating subscriber. 

A particularly advantageous implementation of the 
method of the present invention is obtained when each of the 60 
telecommunication system terminals, which are connected 
with one another through the intervening server device, is 
associated with an interface device operative for transferring 
data between the respective terminal and a respective system 
subscriber card. Moreover, in this preferred implementation, 65 
each of the subscriber cards includes at least a data storage 
and a processor for processing data obtained from the data 
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storage and from the respective terminal and operable for 
issuing output data to the respective terminal. Each card is 
also individualized for the respective individual subscriber 
by storing in its data storage a code key data string that is 
unique to that subscriber. There is further provided a reposi- 
tory that is accessible to the server device and that stores or 
enables server access to at least an association between each 
individual subscriber and the code key data string stored on 
the individual subscriber's individualized subscriber card. 

In that environment, this particular implementation of the 
method of the present invention is used to perform secure 
data transmission through the server device between the 
sending and receiving terminals, with some of the steps of 
the present method being performed at the sending terminal, 
others at the server device, and still others at the receiving 
terminal. 

The steps taking place at the sending terminal include: 
providing a unique original sender challenge data string; 
transferring the original sender challenge data string to the 
respective individualized sending subscriber card; process- 
ing the original sender challenge data string and the unique 
code key data string on the respective sending subscriber 
card to obtain a sender response data string that has a first 
relationship to the original sender challenge data string, 
which relationship is unique to the respective sending sub- 
scriber card; encoding original data that is to be securely 
transmitted by one of the sender response and challenge data 
strings to provide encoded data; and transmitting the 
encoded data and the other of the sender challenge and 
response data strings, together with identification of the 
sending subscriber card in unencrypted form and further 
information identifying the intended recipient subscriber, to 
the server device. 

These steps are followed by the following steps occurring 
at the server device: retrieving from the repository the code 
key data string associated with the thus-identified sending 
subscriber card; utilizing the unique first relationship deter- 
mined by the thus-retrieved code key data string to obtain 
the one from the other of the sender challenge and response 
data strings; decoding the encoded data utilizing the thus- 
obtained one of the sender response and challenge data 
strings; retrieving from the repository the unique recipient 
subscriber code key data string associated with the sub- 
scriber card issued to the intended recipient subscriber as 
identified in the further information; providing a unique 
original server challenge data string; processing the original 
server challenge data string and the retrieved unique recipi- 
ent subscriber code key data string in the same manner as 
they would be on the intended recipient subscriber card to 
obtain a server response data string that has a second 
relationship to the original server challenge data string, 
which second relationship is tailored for the respective 
intended recipient subscriber card; re-encoding the previ- 
ously decoded data by one of the server response and 
challenge data strings to provide re-encoded data; and 
transmitting the re-encoded data, together with the other of 
the server challenge and response data strings, to a respec- 
tive receiving terminal associated with the recipient sub- 
scriber. 

The method is then completed by performing the follow- 
ing steps at the receiving terminal: transferring the other of 
the server challenge and response data strings to the respec- 
tive individualized recipient subscriber card; processing the 
thus-transferred other of the server challenge and response 
data strings and the unique code key data string on the 
respective recipient subscriber card to obtain a recipient 
response data string that corresponds to the one of the server 
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challenge and response data strings when conducted on the 
intended recipient subscriber card in accordance with the 
second relationship; and decoding the re-encoded data uti- 
lizing the thus-obtained one of the server response and 
challenge data strings to provide an unencrypted replica of 5 
the original data. 

It will be appreciated that the method of the present 
invention as heretofore described greatly simplifies the 
message encoding/decoding process for both the issuer and 
the intended recipient of the message in that it is accom- 10 
plished with neither the issuer nor the intended recipient 
having to use the respective other subscriber's coding key. 
As a matter of fact, the respective subscriber does not even 
have to know or have direct access to the other subscriber's 
coding key or, for that matter, his or her own such key. 15 
Moreover, the process can proceed without either subscriber 
having to know either the challenge or the response applied 
at the other subscriber's end or, provided that the respective 
terminal is programmed to generate the response and per- 
form the coding operation without outside input, even those 2Q 
applicable at his or her own end. In other words, the entire 
coding process may be implemented so as to be transparent 
to the two subscribers, e.g. by using a computer-generated 
random number as the challenge applied at the issuing or 
sending terminal, thus relieving the communicating sub- 25 
scribers of the burden of obtaining and entering any codes or 
other data strings to be used in the coding process at his or 
her end. Furthermore, so long as the code key is not 
revealed, there is no need to take special precautions beyond 
those needed to maintain the confidentiality of the message 3Q 
itself in order to conceal the respective challenge or response 
data string applied at the respective subscriber's end, assum- 
ing that such information is available there to begin with. 

It is particularly advantageous when, in accordance with 
an aspect of the present invention, at least one of the 35 
encoding and re-encoding steps includes employing the 
respective response data string to provide the respective 
encoded or re-encoded data; and wherein that of the trans- 
mitting steps which comes up first after the said one of the 
encoding and re-encoding steps includes sending the respec- 40 
tive encoded or re-encoded data accompanied by the respec- 
tive challenge in unencrypted form. In this further scenario, 
it is also advantageous when that of the processing and 
utilizing steps which occurs just prior to the said one of the 
encoding and re-encoding steps includes utilizing a prede- 45 
tennined algorithm to form the respective response data 
string in response to the respective challenge data string; and 
wherein that of the utilizing and processing steps which 
comes after the aforementioned one of the encoding and 
re-encoding steps includes utilizing the same predetermined 50 
algorithm to make the respective response data string 
formed in response to the respective challenge data string 
identical to that used in the one of the encoding and 
re-encoding steps for use in the following one of the 
decoding steps. 55 

An important advantage of this approach is that the 
relationship between the challenge and response data strings 
need not be symmetrical or reversible in the sense that there 
need exist an inverse relationship or algorithm operative for 
unambiguously reconstituting the original challenge data 60 
string from the response dam string and the respective 
subscriber code key, and yet the coding process can proceed. 
This is so because the same conversion process or algorithm 
is used at both of the affected stations (i.e. the sending 
terminal and the decoding part of the server device, or the 65 
re-encoding part of the server device and the receiving 
terminal) in the same direction (i.e. from the unencrypted 



challenge data string to the response data string), so that a 
need to proceed in the opposite direction does not arise. 

The novel features which are considered as characteristic 
of the invention are set forth in particular in the appended 
claims. The improved method of performing secure data 
transmission itself, together with additional features and 
advantages thereof, will however be best understood upon 
perusal of the following derailed description of certain 
specific embodiments with reference to the accompanying 
drawing. 

BRIEF DESCRIPTION OF THE DRAWING 

In the drawings, wherein like reference numerals identify 
similar elements throughout the several views: 

FIG. 1 is a block diagram showing pertinent portions of 
a transmission system apparatus that may be employed in 
the practice of the method of the present invention; and 

FIG. 2 is another block diagram illustrating various elec- 
tronic components and circuitry provided on a typical indi- 
vidualized subscriber card that may be used in the system of 
FIG. 1 for performing encoding of messages and the like in 
accordance with the method of the present invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Referring now to the drawings, and initially to FIG. 1, it 
may be seen that the reference numeral 10 has been used 
therein to identify a telecommunications system of a type 
suited for performing encryption and decryption processes 
in accordance with the present invention. The system 10 is 
shown diagrammatically, and only to the extent necessary to 
describe and enable a clear understanding of the present 
invention. 

As is well known, the telecommunication system 10 
typically includes a very large number of subscriber termi- 
nals or stations 11.1 to ll.n (with n denoting any positive 
integer number exceeding one); however, only those two 
terminals specifically mentioned above and various devices 
and/or items associated with each have been illustrated since 
this is all that is needed to fully describe the inventive 
method. To further simplify the following explanation, each 
of the terminals 11.1 to ll.n, together with all associated 
devices and items, will be collectively referred to as terminal 
equipment 12.1 to 12.n, and only the terminal equipment 
12.1 will be described in some detail as to its basic con- 
struction and operation. However, it should be understood 
that each additional terminal equipment 12.n is identical to 
the terminal equipment 12.1, if not in all details then at least 
in those respects, including the presence of corresponding 
components, that make the various units of terrninal equip- 
ment 12.1 to 12,n compatible with one another in the sense 
of being capable of exchanging and processing a variety of 
data from various sources. 

In a currently preferred implementation of the present 
invention, the terminal equipment 12.1 includes, besides the 
terminal 11.1 itself, a card reader 13.1 that is constructed, in 
a known manner, to at least read or retrieve data stored on 
a compatible subscriber card 14.1. While the card 14.1 is 
portable and may be used at any of the terminals 11.1 to ll.n, 
it will for the sake of simplicity be treated here as an item 
associated with the terrninal 11.1 alone and thus constituting 
a component of the terminal equipment 12.1. For the card 
14.1 to be fully capable of use in accordance with all aspects 
of the present invention, it is contemplated that it advanta- 
geously be of at least of the so-called "smart card", if not the 
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"super-smart card", type, as will be explained below in 
conjunction with FIG. 2. Of course, the card reader 13.1 
should be compatible with the card 14.1, whatever its type 
or capabilities or features. 

The card reader 13.1 is connected, as by a data line or bus 5 
15.1, with an input/output (l/0)unit 16. i of the terminal 
11.1. The I/O unit 16.1 is connected with a central process- 
ing unit (CPU) 17.1 that, in turn, is connected with a 
memory or data storage unit 18.1. For purposes of discus- 
sion, it will be assumed that the memory unit 18.1 contains 10 
the text of a message that is to be sent to the terminal 11. n 
after it has been encrypted for security during transmission. 
In this scenario, it will also be assumed that the memory unit 
18.n is intended to store the text of the message after it has 
been decrypted. The actual text encryption and decryption 15 
may and typically will be performed by the respective one 
of the CPU units 17.1 to 17.n. It should be apparent that data 
transmission can take place from any one of the terminals 
11.1 to 11. n to any other, including in a direction opposite to 
that assumed here, i.e. from the terminal ll.n to the terminal 2Q 
11.1. Nevertheless, the operation of the system 10 in accor- 
dance with the method of the present invention will by way 
of example be explained here as applied to a situation in 
which the terminal 11.1 is the originating or transmitting, 
and terminal ll.n is the receiving, station or terminal. 25 

The transmission between the terminals 11.1 and ll.n in 
the system 10 of the present invention does not take place 
directly from terminal to terminal; rather, the I/O units 16.1 
of all of the terminals 11.1 to ll.n are connected or linked, 
through respective data transmission channels (e.g. shielded 30 
data transmission lines, cables, busses, optical fiber cables or 
wireless links or the like) 19.1 to 19.n, with a server device 
20. The server device 20 itself, as well as the information 
contained therein, is maintained in a highly protected, secure 
manner by the owner or operator of a telecommunication 35 
network incorporating or used in conjunction with the 
system 10. The server device 20 is connected for commu- 
nication with, or may even physically incorporate, a reposi- 
tory 21 of certain information, including that associating 
individual subscriber cards 14.1 to 14.n that have been 40 
personalized or individualized prior to their issuance to 
individual subscribers to the system 10, with such subscrib- 
ers and with secret key codes that have been assigned to each 
such subscriber in the course of the individualization pro- 
cess. This association information is maintained in the 45 
repository 21 in a secure and highly confidential manner. 
Moreover, while the server device 20 is able to access and 
retrieve the confidential association and key number infor- 
mation from the repository 21, it can use it for only limited 
purposes, and well known or otherwise appropriate mea- 50 
sures are taken to assure that this information not be released 
to unauthorized persons, including server device operating 
personnel with no need to know, or to unauthorized desti- 
nations (e.g. computer hacker terminal equipment), or for 
unauthorized uses. 55 

The safeguarding of this information, which is highly 
sensitive because its release could result in compromising 
the secrecy of encrypted communications issued or received 
by a subscriber affected by the revealing of this information, 
goes even beyond the securement of the server device 20 in 60 
that, as currently preferred, even the subscriber himself or 
herself does not know or have direct access to his or her code 
key, although the same is stored by the subscriber's person- 
alized subscriber card 14.1. lb this end, the card 14.1 (like 
each other such card 14.n) may include, as indicated in FIG. 65 
2 of the drawings, a memory 22.1 having at least a portion 
23.1 that is protected in the sense that the data contained 
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therein can only be accessed for limited purposes and cannot 
be "data-dumped", i.e. extracted from the respective card 
14.1 either directly or through some manipulation of either 
the data or of the card. Suitable measures used to achieve 
this safeguarding feature are known to those skilled in this 
art and need not be elaborated upon here, particularly since 
they do not form a part of the present invention. 

As also shown in FIG. 2, the respective subscriber card 
14.1 further includes a processor 24.1 capable of retrieving 
information contained in the memory 22.1, inclusive of that 
secretly maintained in the memory portion 23.1, and of 
processing such information together with other information 
or data, as for example that obtained from an input/output 
(I/O) device 25.1 that is also present on the card 14.1, to 
generate output information and issue the same through the 
I/O device 25.1 to the card reader 13.1 for further handling 
thereat and/or transmission to the terminal 11.1, all in a 
manner hereinafter described. 

Inasmuch as the card 14.1 includes at least basic data 
storage and processing devices and circuitry, it qualifies for 
the designation "smart card" that is increasingly being used 
to describe passive cards with data processing capability — 
as distinguished from the traditional magnetic strip and 
similar "memory only" cards. The card 14.1 of this type is 
not equipped to permit the user or subscriber enter any data 
into it, and ordinarily does not even include means for 
displaying any data available in or from the card 14.1. Such 
capabilities, if. needed, must accordingly be provided by 
other equipment such as the card reader 13.1, the terminal 
11.1 and/or keyboard and/or display equipment associated 
therewith (not shown). In any event, as indicated in broken 
lines in FIG. 2, the card 14,1 may alternatively be of the 
"super-smart" type, being in such case additionally provided 
with a mini -keyboard 26.1 connected with the processor 
24.1 to supply data entries thereto, and/or a display device 
(such as a liquid crystal display) 27.1 for receiving data to 
be displayed from the processor 24.1 through the I/O device 
25.1 and for presenting that data in a visually perceptible 
form. 

Cards of the type thus described are currently available 
from several sources and under a variety of appellations, 
including as AT&T Smart Cards, as are the associated card 
readers and other terminal equipment so that it is not 
necessary, at this point to describe them in further detail. 
Suffice it to say that the equipment and circuitry described 
above, albeit largely conventional in nature, is configured in 
such manner as to perform certain hereinafter-described 
tasks in accordance with the present invention. 

Having thus described the structural elements and 
arrangements of the system 10, the features of the currently 
preferred implementation of the present invention will now 
be discussed as employed in or in conjunction with the 
system 10 for generating an encrypted message at the 
sending or originating terminal 11.1 and for decrypting it at 
the receiving terminal ll.n, using the respective subscriber 
cards 14.1 and 14.n at the respective transmission link ends 
or terminals 11.1 and ll.n. 

The operation of the system 10 in accordance with this 
implementation of the invention commences at the origina- 
tion or issuing terminal 11.1 in that, when a message is to be 
sent in a secured (encoded or encrypted) fashion, a challenge 
data string is presented to the processor 24.1 of the card 14.1. 
This challenge data string may be internally generated either 
at the terminal 11.1 or on the card 14.1, or even by the server 
device 20, as by a random number generator; however, if 
preferred, the challenge data string may instead by arbi- 
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trarily selected and manually or otherwise entered by the 
subscriber, as for example through the mini-keyboard 26.1 
if provided, or through a keyboard associated with the 
terminal 11.1, or through a similar or functionally equivalent 
device incorporated in or associated with the card reader 
13.1 (the latter two possibilities not having been illustrated). 
On receipt of the challenge data string, the processor 24.1 
located on the card 14.1 retrieves the subscriber's own secret 
code key from the memory portion or secret memory cache 
23.1, and processes the two data strings in accordance with 
a predetermined or known protocol or algorithm to obtain a 
response data string. At this juncture, it should be mentioned 
that even though the algorithm used to arrive at the response 
data string from the challenge data string is contemplated as 
being the same for all of the subscriber cards 14.1 to 14.n 
(and the same as that used at the server device 20, as 
discussed below), the response data string generated at each 
of the subscriber cards 14.1 to 14.n will be unique to that 
subscriber card — that is, different from the response data 
string obtained from any other of the cards 14.1 to 14.n if 
any such other card were presented with the identical 
challenge data string. This different card "reaction" to the 
challenge string results from the use of the different, unique 
subscriber code key stored in or on each of the cards 14.1 to 
14.n. It will nevertheless be appreciated that the foregoing 
approach, while currently preferred, is not the only one that 
may be used in accordance with the present invention to 
obtain the desired unique relationship or correlation between 
any arbitrarily chosen challenge data string and the corre- 
sponding response data string associated with the particular 3Q 
subscriber and/or his or her card 14.1 to 14.n. Another 
implementation contemplates a look-up or conversion table 
instead of or in combination with an appropriate conversion 
or processing algorithm. In any event, what is important in 
the context of the present invention is that the correlation 
applicable to each pair of challenge and response data 
strings, while different from one subscriber to another, be 
consistent or reproducible insofar as each particular sub- 
scriber is concerned — i.e. that the response data string 
corresponding to a particular challenge data string is always 
the same, no matter how many attempts are made and at 
what location, so long as the correlation associated with the 
particular subscriber is used to arrive at one of the members 
of such data string pair from the other. 

With the .unique card response data string having been 45 
generated on the card 14.1, the actual encoding of the 
message to be transmitted can commence, in one of two 
presently-contemplated manners using the challenge and 
response data strings. One is to employ the challenge data 
string as the encryption key for the message, in which case 
the response data string would then be sent with the chal- 
lenge-encrypted message to the server device 20 for use in 
further handling (i.e. decryption) of the message. The other 
is to encrypt the message using the response data string and 
to then send the original challenge data string with the 
response-encrypted message for similar use at the server 
device 20. It is currently preferred to use the latter approach 
in the aforementioned implementation, and the following 
description will assume that approach; however, it will be 
appreciated that the principles described in conjunction with 
this particular method are equally applicable, with only a 
minimum of self-evident adaptation, to the other alternative 
as well. The exact algorithm used to encrypt the data or 
message using either the challenge or the response data 
string is substantially a matter of design choice. 

When the encrypted message and the accompanying 
information sent with it — which may include, in addition to 
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the challenge data string, at least some information to enable 
the server device 20 to determine from whom or where the 
transmission originated (i.e. the identity of the owner of the 
subscriber card 14.1) — is received by the server device 20, 
the latter retrieves the code key that is associated with the 
originator's subscriber card 14.1 (i.e. the code key that is 
stored on the card 14.1) from the repository 21. The server 
device 20 then processes the thus-retrieved subscriber code 
key and the (unencrypted) original challenge data string that 
had been received from the terminal 11.1 as a part of the 
transmission, in the same way (i.e. using the same algorithm 
or correlation) as that used by the originating subscriber to 
generate the response data string with which the original 
message was encrypted. Using the same starting values and 
processing operations at the server device 20 as were used 
at the subscriber site, the server device 20 thus generates a 
response data string to the challenge data string that is 
identical to that which was generated using the subscriber 
card 14.1 and used to encode the original message received 
by the server device 20. The server device 20 then uses this 
information to decrypt the encoded message and to thereby 
restore it to its original unencrypted state. 

As will be apparent, since the server device 20 is only an 
intermediary in the transmission and not the intended ulti- 
mate recipient, steps must be taken to safeguard the message 
as it is next transmitted from the server 20 to the recipient 
terminal 11 .n. Toward that end, the message is re-encrypted 
before it is transmitted from the server device 20 to the 
receiving terminal ll.n; in brief, the server device 20 
employs substantially the same technique as that described 
above between the originating subscriber and the server 
device 20, but now geared toward the ultimate recipient. 
First, the server device 20 determines, as from the message 
itself — where this information may be a part of the encoded 
text (cryptotext), or may have accompanied the encrypted 
text in unencrypted (plaintext) form — the identity of the 
intended ultimate recipient and correspondingly, identifies 
the subscriber card 14.n issued to that subscriber. With this 
information, the server device 20 accesses the repository 21 
to retrieve the secret code key for that subscriber and which 
is embedded in the restricted memory portion 23.n of the 
receiving subscriber card 14 .n. From there, the process is the 
same as that discussed above — the server device 20 pro- 
duces a response data string to a locally-generated random 
number challenge data string using the same algorithm as 
before, uses the resulting response data string to re-encrypt 
the previously deciphered or decrypted message, and sends 
the so re-encoded message, together with new unencrypted 
challenge data string, to the recipient terminal ll.n. 

Upon receipt of this re-transmission at the recipient 
terminal ll.n, or as and when instructed to do so at some 
later time by. the recipient subscriber, the challenge data 
string is sent to the card reader 13.n. Assuming that the 
proper card 14.n (i.e. that of the intended recipient) is 
present in the card reader 13.n, the challenge data string is 
processed by the processor 24.n of the card 14.n using the 
same code key (this time retrieved from the memory 22.n of 
the subscriber card 14,n) and the same algorithm or corre- 
lation as that previously used by the server device 20 to 
produce the identical response data string with which the 
message was re-encrypted. The resulting response data 
string generated by the processor 24. n of the subscriber card 
14.n is then used by the receiving subscriber at the terminal 
ll.n to decrypt the server rc-encrypted message — i.e. to 
restore it to the original, unencrypted form with which the 
originating subscriber initiated the transmission process. 

An example of a transmission in accordance with the 
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invention will now be described to further illustrate the 
features explained above, using italics to indicate unen- 
crypted portions of the transmission, square brackets to 
indicate encrypted or re-encrypted portions of the transmis- 
sion, quotation marks for identification information, and 5 
parentheses for explanatory matter. 

The transmission sent from the originating terminal 11.1 
may by way of example read as follows: 

(header:) to "server" from "subscriberl" 

(body:) challengel .[messagel ], 10 
wherein [messagel ]contains: 

[(header) to "subscribed" 

(body:) message], 
and wherein responsel (to challengel) has been used to 
encode the [messagel]. 15 

Using the thus-received "subscriberl" information, the 
server device 20 retrieves the associated code key from the 
repository 22 and uses it, together with challengel, to 
recreate responsel. It then uses the thus-obtained responsel 
to regenerate (decrypt) messagel from [messagel]. That 20 
will reveal the "subscribed" information to the server 
device 20 and permit the "subscribed" information to be 
used to similarly retrieve the intended recipient code key 
from the repository 21 and to use the retrieved recipient code 
key, together with a locally-generated challenge^ to pro- 25 
duce a response2 that is then used to form a re-encrypted 
[messagel] which is included in a transmission sent to the 
terminal 14.n associated with "subscribed" and reading, 
basically, as follows: 

(header:) to "subscribed" from "server" 30 

(body:) challenge2, [message2], 
wherein [message2] contains: 

[(header:) from "subscriberl" 

(body:) message]. 35 

The intended recipient, after becoming aware of the 
arrival of such transmission, uses his or her subscriber card 
14.n to generate the response2 to the server-transmitted 
challenge2, and to decrypt [message2] using the thus 
obtained response2 to restore message2 and thus message to 40 
its original, usually plaintext form. 

The example presented above has particular but not 
exclusive utility when it is desired to conceal the fact that the 
originating and receiving subscribers are communicating. 
Incipient business merger contacts and negotiations between 45 
warring political entities may provide illustrative examples 
of situations in which the release of information that par- 
ticular parties are "talking" could be detrimental, irrespec- 
tive of the actual contents of the exchanged messages. 
However, where for example this information is not sensi- 50 
tive, the identification of the intended recipient may be 
indicated by the originating subscriber directly or outside of 
the "envelope" containing (i.e. as a plaintext part of the 
header of) the encrypted [messagel]. In other words, the 
originating header might then read: to "subscribed" from 55 
"subscriberl", and the same or similar language might also 
be used in the header sent by the server device 20 to the 
intended recipient. The transmission would nonetheless still 
be intercepted by the server device 20 between the origi- 
nating and receiving subscribers and processed thereat in a 60 
manner substantially identical to that described above. The 
involvement of or intervention by the server device 20 in the 
transmission would, in such an arrangement, be transparent 
to both the originator and the recipient of the transmission. 

While the invention has been illustrated and described as 65 
embodied in a particular arrangement and apparatus, it is not 
intended to be limited to the details shown since various 
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modifications and structural changes may be made without 
departing in any way from the spirit of the present invention. 

Without further analysis, the foregoing will so fully reveal 
the gist of the present invention that others can, by applying 
current knowledge, readily adapt it for various applications 
without omitting features that, from the standpoint of prior 
art, fairly constitute essential characteristics of the generic 
and specific aspects of the contribution to the art and, 
therefore, such adaptations should and are intended to be 
comprehended as within the meaning and range of equiva- 
lence of the claims. What is claimed as new and desired to 
be protected by Letters Patent is set forth in the appended 
claims. 
What is claimed is: 

1. A method of performing secure data transmission of 
messages between individual subscribers of a telecommu- 
nications system that includes individual terminals linked by 
a server device, comprising the steps of: 
establishing a multiplicity of correlations each defining a 
relationship for pairing an arbitrary challenge data 
string in a unique and consistent manner with a differ- 
ent corresponding response data string; 
associating each of said multiple correlations with a 
corresponding one of the individual subscribers, and 
making said each correlation available to the corre- 
sponding individual subscriber and to the server device 
to enable the corresponding subscriber and the server 
device to generate one of the arbitrary challenge data 
string and the corresponding response data string from 
the other of the arbitrary challenge data string and the 
corresponding response data string using said each 
correlation; 

apprising the server device of the identities of an origi- 
nating subscriber and an intended receiving subscriber 
for a particular transmission; and 
cryptographically processing a message to be conveyed in 
encrypted form in each said particular transmission 
from the originating subscriber through the server 
device to the intended receiving subscriber, comprising 
the steps of: 

providing a first arbitrary challenge data string to define 
an originating subscriber pair formed of the first 
arbitrary challenge data string and a first response 
data string generated from the first arbitrary chal- 
lenge data string utilizing the correlation associated 
with the originating subscriber; 
. generating, at the originating subscriber, the first 
response data string of the originating subscriber pair 
utilizing the first arbitrary challenge data string and 
the correlation associated with the originating sub- 
scriber, 

encrypting the message at the originating subscriber 
using one of the data strings of the originating 
subscriber pair, and posting the encrypted message 
and the other of the data strings of the originating 
subscriber pair to the telecommunications system at 
the originating subscriber, 
receiving the encrypted message and the other of the 
data strings of the originating subscriber pair at the 
server device, generating the one of the data strings 
of the originating subscriber pair at the server device 
utilizing the correlation associated with the originat- 
ing subscriber, and decrypting the encrypted mes- 
sage at the server device using the said one of the 
data strings of the originating subscriber pair to 
recover the message; 
providing a second arbitrary challenge data string at the 
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server device to define a receiving subscriber pair 
formed of the second arbitrary challenge data string 
and a second response data string generated from the 
second arbitrary challenge data string utilizing the 
correlation associated with the receiving subscriber; 
re-encrypting the recovered message at the server 
device using one of the data strings of the receiving 
subscriber pair, and posting the re-encrypted mes- 
sage and the other of the data strings of the receiving 
subscriber pair to the telecommunications system at 
the server device for delivery to the receiving sub- 
scriber; 

receiving the re-encrypted message and the other of the 
data strings of the receiving subscriber pair at the 
receiving subscriber, generating the one of the data 
strings of the receiving subscriber pair at the receiv- 
ing subscriber utilizing the correlation associated 
with the receiving subscriber, and decrypting the 
re-encoded message at the receiving subscriber using 
the said one of the data strings of the receiving 20 
subscriber pair to recover the message from the 
originating subscriber. 

2. The method as defined in claim 1, wherein said 
associating step includes providing each said individual 
subscriber with an individualized card that includes a data 
storage containing an individual code key unique to said 
corresponding individual subscriber, storing said individual 
code keys for all of said individual subscribers in a reposi- 
tory accessible to the server device in a manner identifying 
each said key code with the corresponding individual sub- 
scriber, and providing each of said individual subscribers 
and said server device with access to an algorithm that 
establishes the correlation of said each individual subscriber 
when used in conjunction with the code key of said each 
individual subscriber, and wherein said step of making said 35 
each correlation available includes retrieving the respective 
code key and said algorithm at each of said individual 
subscribers and at said server device for use in said gener- 
ating steps. 

3. The method as denned in claim 2, wherein said 
associating step further includes providing each of said 
individual subscriber cards with data processing capability; 
and wherein said steps of generating said first response data 
string of the originating subscriber pair at the originating 
subscriber and said one of said data strings of the receiving 
subscriber pair at the receiving subscriber include process- 
ing said first arbitrary challenge data string and said other of 
said receiving subscriber data strings on a respective one of 
the originating and receiving subscriber cards utilizing the 
correlation associated with the originating and with the 
receiving subscriber, respectively, as obtained from the 
respective subscriber card. 

4. A method of performing secure data transmission 
between respective sending and receiving telecommunica- 
tion system terminals that are connected with one another 55 
through a server device, each of said terminals being asso- 
ciated with an interface device operative for transferring 
data between the respective terminal and a respective system 
subscriber card that includes at least a data storage and a 
processor for processing data obtained from the data storage 
and from the respective terminal and operable for issuing 
output data to the respective terminal, each of the subscriber 
cards being individualized prior to issuance thereof to a 
respective individual subscriber by storing in its data storage 
a unique code key data string, with at least an association 
between each individual subscriber and the unique code key 
data string stored on that individual subscriber's individu- 



40 



45 



50 



60 



65 



alized subscriber card being stored in a repository accessible 
to the server device, comprising the steps of: 

(A) at a respective sending terminal: 

(i) providing a unique original sender challenge data 
string; 

(ii) transferring the original sender challenge data string 
to the respective individualized sender subscriber 
card; 

(iii) processing the original sender challenge data string 
and the unique code key data string on the respective 
sender subscriber card to obtain a sender response 
data string that has a first relationship to the original 
sender challenge data string, which relationship is 
unique to the respective sending subscriber card; 

(iv) encrypting original data that is to be securely 
transmitted by the sending subscriber using one of 
the sender response data string and the challenge 
data string to provide encrypted data; and 

(v) transmitting the encrypted data and the other of the 
sender challenge data string and the response data 
string to the server device; 

(B) at the server device: 

(i) receiving from the sending terminal the encrypted 
data and the other of the sender challenge data string 
and the response data string; 

(ii) retrieving from the repository the code key data 
string associated with the subscriber card of the 
sending subscriber, 

(iii) utilizing the unique first relationship of the 
retrieved code key data string to obtain the one from 
the other of the sender challenge data string and the 
response data string; 

(iv) decrypting the received encrypted data utilizing the 
thus obtained one of the sender response data string 
and the challenge data string; 

(v) retrieving from the repository the unique recipient 
subscriber code key data string associated with the 
subscriber card issued to the intended recipient sub- 
scriber; 

(vi) providing a unique server challenge data string; 

(vii) processing the server challenge data string and the 
retrieved unique recipient subscriber code key data 
string to obtain a server response data string that has 
a second relationship to the original server challenge 
data string, which relationship is tailored for the 
respective intended recipient subscriber card; 

(viii) re-encrypting the server-decrypted data using one 
of the server response data string and the server 
challenge data string to provide server re-encrypted 
data; and 

(ix) transmitting the server re-encrypted data, together 
with the other of the server challenge data string and 
the server response data string, to a respective receiv- 
ing terminal associated with the recipient subscriber, 
and 

(C) at the respective receiving terminal: 

(i) receiving from the server device the server re- 
encrypted data and the other of the server challenge 
data string and the server response data string; 

(ii) transferring the other of the server challenge data 
string and the server response data string to the 
respective individualized recipient subscriber card; 

(iii) processing the received other of the server chal- 
lenge data string and the server response data string 
and the unique code key data string on the respective 
recipient subscriber card to obtain a resultant recipi- 
ent data string corresponding to the one of the server 
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challenge data string and the server response data 
string used for the encryption at the server device; 
and 

(iv) decrypting the server re-encrypted data utilizing 
the one of the received server response data string 5 
and the server challenge data string to provide a 
replica of the original data. 

5. The method as defined in claim 4, wherein at least one 
of said encrypting and re-encrypting steps includes employ- 
ing the respective response data string to provide one of the 10 
respective encrypted and re-encrypted data; and wherein 
said step of transmitting said one of said encrypted and 
re-encrypted data includes sending the respective challenge 
data string with such data. 

6. The method as defined in claim 5, wherein at least one 15 
of said processing steps and an associated one of said 
utilizing steps use an identical algorithm to form the respec- 
tive response data string in response to the respective 
challenge data string. 

7. A method of performing secure data transmission of 20 
messages between individual subscribers of a telecommu- 
nications system that includes individual terminals linked by 

a server device, comprising the steps of: 

establishing a multiplicity of correlations each defining a 
relationship for pairing an arbitrary challenge data 25 
string in a unique and consistent manner with a differ- 
ent corresponding response data string; 

making each of said multiple correlations available to a 
corresponding one of the individual subscribers, and all 
of said multiple correlations available to the server 30 
device in identifying associations with said correspond- 
ing individual subscribers; 

apprising the server device of the identities of an origi- 
nating subscriber and an intended receiving subscriber 
for a particular transmission; 
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cryptographically processing an original message to be 
conveyed in encrypted form in said particular trans- 
mission from the originating subscriber through the 
server device to the intended receiving subscriber, 
comprising the steps of: 

generating an originating subscriber pair of the chal- 
lenge and response data strings at one of said origi- 
nating subscriber and server device utilizing the 
correlation associated with the originating sub- 
scriber; 

communicating one of the data strings of said originat- 
ing subscriber pair from said one to the other of said 
originating subscriber and server device; 

regenerating the other of the data strings of said origi- 
nating subscriber pair at the other of said originating 
subscriber and server device from the thus commu- 
nicated one data string; 

encrypting the message at the originating subscriber 
using said other of the data strings of the originating 
subscriber pair; 

posting the encrypted message to the telecommunica- 
tions system at the originating subscriber; 

receiving the encrypted message at the server device; 

decrypting the encrypted message at the server device 
using the said other of the data strings of the origi- 
nating subscriber pair to recover the message; and 

cryptographically reprocessing the thus recovered mes- 
sage at the server device and at the receiving sub- 
scriber in a manner corresponding to that employed 
in the performance of said cryptographically pro- 
cessing step at the originating subscriber and at the 
server, utilizing the correlation associated with the 
receiving subscriber in place of that associated with 
the originating subscriber. 

***** 
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ABSTRACT 



A method is provided for generating and verifying a 
digital signature of a message m. This method requires a 
pair of corresponding public and secret keys (y and x) 
for each signer, as well as a pair of public and secret 
values (r and k) generated for each message by the 
signer. The public value r is calculated according to the 
rule r=(g k mod p) mod q. A value s is then selected 
according to the rxAes=k- l (H(m)+xr) mod q where H 
is a known conventional hashing function. The message 
m, along with the signature (r,s) is then transmitted. 
When the transmitted signal is received a verification 
process is provided. The received values of r and s are 
tested to determine whether they are congruent to 0 
mod g. Additionally, r is tested to determine whether it 
is equal to v mod q, where v is computed from r, s, m 
and y. For legitimately executed signatures, v=g k mod 
• A 

44 Claims, 3 Drawing Sheets 
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tern of ElOamal, however, allows much of the compu- 

DIGITAL SIGNATURE ALGORITHM tation to be done prior to going on-line since use is made 

of values which are not dependent upon message m. 

BACKGROUND OF THE INVENTION Thus, on-line signature generation is very simple in the 

1) Field of the Invention 5 system of ElGamal. 

The field of this invention is data integrity, and in The signing procedure in the method taught by El- 
particular generating and verifying a digital signature Gamal includes three steps. In the first step, a random 
for a message or data file. number k is chosen such that k is uniformly between 0 

2) Background Art and p- 1, and gcd(kp- 1)= 1. Next, r is determined by 
When a message is transmitted from one party to 10 the relationship 

another, the receiving party may desire to determine 

whether the message has been altered in transit. Fur- r " a * mod p- Equition (2) 
therraore, the receiving party may wish to be certain of 

the origin of the message. It is known in the prior art to In view of Equation (2), the relationship which must be 

provide both of these functions using digital signature 15 satisfied for detennining the signature for message m, as 

algorithms. Several known digital signature algorithms set forth in Equation (1), may be written as 
are available for verifying the integrity of a message. 

These known digital signature algorithms may also be a m -a*'a fcl mod p. Equation (3) 
used to prove to a third party that the message was 

signed by the actual originator. 20 Equation (3) may be solved for s by using 

The use of public key cryptography to achieve in- 
stantiations of these digital signature algorithms is also m-w+fa mod i(p-l). Equation(4) 
known in the art. For example, Diffie and Hellman 

teach using public key cryptography to derive a digital Equation (4) has a solution for s provided k is chosen 

signature algorithm in "New Directions in Cryptogra- 2 $ such thatga/(/c p— 1)=1. 

phy, M IEEE Transactions on Information Theory, Vol. In the method taught by ElGamal it is easy to verify 

IT-22 pp. 472-492, 1976. See also U.S. Pat. No. the authenticity of the signature (r,s) by computing both 

4,200,770. Since then, several attempts have been made sides of Equation (1) and detennining that they are 

to find practical public key signature techniques which equal. The chosen value of k should never be used more 

depend on the difficulty of solving certain mathematical 30 than once. This can be guaranteed, for example, by 

problems to make message alteration or forgery by using a Data Encryption Standard chip in the counter 

unauthorized parties difficult. For example, the Rivest- mode as a stream cipher to generate values of k. 

Shamir-Adleman system depends on the difficulty of It is possible to attempt two types of attacks on the 

factoring large integers. See R. Rivest, A. Shamir, and signature scheme of ElGamal. The first type of attack 

L. Adleman, "A Method for Obtaining Digital Signa- 35 mc ] uc jes attacks designed to recover the secret key x. 

tures and Public Key Cryptosystems," Communications The second type of attack includes attacks designed to 

of the ACM, Feb. 1978, Vol. 21, No. 2, pp. 120-126, and forge signatures without recovering x. Some of these 

U.S. Pat. No. 4,405,829. attempted attacks are easily shown to be equivalent to 

Taher ElGamal teaches a signature scheme in "A computing discrete logarithms over GF(p). 
Public Key Cryptosystem and a Signature Scheme In the first type of attack attempt an intruder may try 
Based on Discrete Logarithms" in IEEE Transactions t o solve t equations of the form of Equation (4) when 
on Information Theory, Vol. IT-31, No. Jul. 4, 1985. It gj ven { m .. /= 1( 2| . . . ft } documents, together with the 
is believed that this system relies on the difficulty of corresponding signatures Unst): /= 1, 2, . . f}. How- 
computing discrete logarithms over finite fields. In the ever> ^re „ c t + 1 unknowns in this system of equa- 
system taught byElGamal m denotes a document to be 45 ^ ^ ^ signature m a different value of k. 
signed, where0^m^-2wherepwalargeprimeand ^ system of equations is underdetermined and 
a is a primitive element mod p, both known. In any of ^ nuraber of K large. The reason is that each 
the cryptographic systems based on discrete logarithms, value of x ^ clds fl for the k/smce a stcm of 
p must be chosen such that p- 1 has at least one large ^ ^ons with a diagonal matrix of coefficients 
prune factor. If p-1 has only small prime factors, then 50 ^ ^ { ^ choscn tQ ^ at lcast Qne x 
computing the discrete logarithms is easy The public ^ factof £ ^ feco c f x mod q would 
file consists of a public key y-a* mod p for each user * exponential number of message-signature 
where each user has a secret x a large prime p, and a ^rs va Jue of k is used twice in the si^Tthen 
pnmi tive element a. To sign a document, user A uses a ? > ^ determhied and x 

secret key \a to find a signature for m in such a way that 35 ■ / n. r *J * ft:ln _ , . 

„ t *u »u *• •* * * v may be recoverable. Thus, for the system of ElGamal to 

all users can verify the authenticity of the signature by . 7 . n v uw *u 

using the public key y A together with a and p, and no * «> ^ ue should * morc once ' 

one can forge a signature without knowing the secret 85 Previously described. 

X In another attack attempt of this first type an intruder 

The signature for m is the pair (r,s), Q±r.s<p- 1, «0 may try to solve equations of the form of Equation (3). 

chosen such that This is always equivalent to computmg discrete loga- 
rithms over GF(p), smce both unknowns x and k appear 

o m «y^r J mod p Equation (1) in the exponent In still another attack of this type an 

intruder may attempt to develop some linear dependen- 
ts satisfied. 65 cies among the unknowns 2, . . /}. This is also 
In many applications it is convenient or necessary to equivalent to computing discrete logarithms since if 
sign the message on-line. However, the Rivest -Shamir- k(*&ckj mod (p— 1), then r,«r/ mod p t and if c can be 
Adleman system is expensive to sign on-line. The sys- computed then computing discrete logarithms is easy. 
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In the second type of attack attempt, trying to forge 
signatures without knowledge of x, a forger may try to 
find r and s such that Equation (1) is satisfied for a 
document m. If r=a/mod p is fixed for some j chosen at 
random, then computing s is equivalent to solving a 5 
discrete logarithm problem over GF(p). 

If the forger fixes s first, then r may be computed as 
follows: 

A mod p. Equation (b) 10 

Solving Equation (5) for r may not be as hard as com* 
puting discrete logarithms. However, it is believed that 
solving Equation (5) in polynomial time is not feasible. 
In another possible attack of the second type, a forger 15 
may try to solve Equation (1) for both r and s simulta- 
neously. However, it is believed that an efficient algo- 
rithm for doing so is not known. 

The signature scheme of ElGamal also permits an 
attack attempt wherein the intruder, knowing one legiti- 20 
mate signature (r,s) for one message m, may generate 
other legitimate signatures (r,s) and messages m. How- 
ever, this attack attempt, although implementable, does 
not allow the intruder to sign an arbitrary message m 
and therefore does not break the system. This limited 25 
ability to create acceptable message-signature pairs can 
be avoided by requiring m to have a certain structure. 
Alternatively this can be avoided by applying a one- 
way function H to message m before signing it. This 
causes a potential forger to be unable to determine a 30 
value of m which corresponds to the H(m) which was 
signed using the method shown below. The forger must 
be able to transmit such an m to the verifier, if the forg- 
ery is to be considered successful. 

Given a signature (r,s) for the legitimately signed 35 
message m, then 

c^ssyVmod p. 

Integers A, B, and C are selected by the forger arbitrar- 40 
ily such that (Ar-Cs) is relatively prime to p— 1. The 
values of r\ s\ m' are selected such that 

ff— r*a B y c mod p. 

45 

t=sr> 7(Ar-Cs) mod(p-l), 
mW(dm+ Bs)/(Ar-Cs)mod (p- I). 

Then it is claimed that (r',sO signs the message m': 
The verification equation will be satisfied, since 

ra a (mAt'+Bn')/(Ar-Cs) 

60 

wherein all calculations are performed mod p. 

As a special case, setting A=0, verifiable signatures 
(r\s') may be generated with corresponding messages 
m' , without access to any signature: 

r , **a B y c mo&p. 65 
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m'« -r>B/C mod (p- 1). 

Thus it will be understood by those skilled in the art that 
applying a one-way function H to message m, prior to 
signing, thwarts the general and special-case attack 
attempts. It will also be understood that function H may 
be used to form a digest of long messages so that the 
signature function does not have to be iteratively ap- 
plied to segments of the full message m. This results in 
further efficiency. 

U.S. Pat. No. 4,995,082, issued to Schnorr, on Feb. 
19, 1991, entitled "Method for Identifying Subscribers 
and for Generating and Verifying Electronic Signatures 
in a Data Exchange System," provides a system 
wherein communication and verification is more effi- 
cient relative to ElGamal. Additionally, the system of 
Schnorr maintains the extremely efficient on-line sign- 
ing capability. However, some of the desirable features 
of ElGamal, as well as the extensive body of experience 
and literature associated with the ElGamal model, are 
not applicable to the Schnorr model. 

Thus, it is desirable to provide a system having effi- 
ciencies of on-line signing, communication, and verifi- 
cation which are comparable to the system of Schnorr 
while still maintaining compatibility with the ElGamal 
model and its analytical tools. In particular, it is desir- 
able to retain the complexity of the ElGamal signature 
equation which enables secure use of the straightfor- 
ward expression H(m), rather than simplifying the sig- 
nature equation at the expense of replacing H(m) by 
Schnorr's H(a* mod p,m). 

SUMMARY OF THE INVENTION 

A method is provided for generating and verifying a 
digital signature of a message m. This method requires a 
pair of corresponding public and secret keys (y and x) 
for each signer, as well as a pair of public and secret 
values (r and k) generated for each message by the 
signer. The public value r is calculated according to the 
rule r—{g k mod p) mod q. A value s is then selected 
according to the rule s— k~ l (H(m)+xr) where H is a 
known conventional hashing function. The message m, 
along with the signature (r,s) is then transmitted. When 
the transmitted signal is received a verification process 
is provided. The received values of r and s are tested to 
determine whether they are congruent to 0 mod q. 
Additionally, r is tested to determine whether it is equal 
to v mod q, where v is computed from r, s, m and y. For 
legitimately executed signatures, v=g k mod p, 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGS. 1, 2 show the digital signature algorithm of the 
present invention, 

FIG. 3 shows a hashing algorithm suitable for use 
within the digital signature algorithm of FIGS. 1, 2. 

DETAILED DESCRIPTION OF THE 
INVENTION 

Referring now to FIGS. 1, 2, there is shown digital 
logorithm 10. In digital signature algorithm 10, the two 
keys in a pair of private and public keys are used respec- 
tively to generate and verify digital signatures (r,s), 
each of which corresponds to a transmitted message m. 
Using digital signature algorithm 10 the holder of a 
private key may generate a digital signature for message 
m where message m may contain any amount of data. A 
holder of the corresponding public key may then re- 
ceive message m and verify the signature (r,s). An in- 
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trader who does not know the private key cannot gen- rithm 10, are known in the prior art. Additionally, it will 
erate the signature (r,s) of the holder of the private key be understood that the message to which the hashing 
for any message m and therefore signatures (r,s) cannot algorithm is applied may be in an unencrypted form, 
be forged. An intruder also cannot alter any signed When r and k- 1 mod q are determined as set forth in 
message m without invalidating the signature (r,s). 5 Equations (6) and (7), the value of s for message m may 
If digital signature algorithm 10 is to be used effec- be determined as shown in block 40 of digital signature 
tively, a means of associating a public and private key algorithm 10: 
pair with each signer is required. There must be a bind- 
ing of information identifying the signer with the corre- s= *- '(/f(m) +*r)mod q. Equation (8) 
sponding public key. In order to insure that each private 10 

key or secret key is held by the individual whose iden- The solution of Equation (8) of block 40 of digital signa- 

tity is bound to the corresponding public key, this bind- ture algorithm 10 also results in a one hundred sixty bit 

ing must be certified by a mutually trusted third party. integer. The values r and s thus determined respectively 

For example, a certifying authority may sign credentials m blocks 25, 40, constitute the signature (r t s) of message 

containing the public key of a user of digital signature 15 m . They are transmitted along with message m to the 

algorithm 10 and the identity of the user to form a cer- recipient as shown in block 45. It will be understood 

uTicate. that m may be transmitted in an unencrypted form. 

Execution of digital signature algorithm 10 of the Execution of algorithm 10 then proceeds by way of 

present invention begins at start terminal 5. A user of off-page connector 50. 

digital signature algorithm 10 first selects a secret value 20 within digital signature algorithm 10, each signer is 

of k as shown in block 15. The selected k is a secret provided ^ a secret kcy x , wher e 0<x<q. A secret 

integer generated by the signer for each message m. The k x is flxed for ^ meS sages m transmitted by an indi- 

value of k is chosen such that 0<k<q The k of digital ^ of d orithm 10 . Additionally, public key y 

signature algorithm 1 10 may be generated in ^random or . provided to ^ holding the secret key x or secret 

^dc^randoir .fashion^ It will be understood by those 25 * whgre ^ mod | rior to verifyi a si a . 

skilled in the art that the pseudo-random |«ttn of ( } ^ ^ ^ ^ ^ identit / of * e ^ 

mteger k may be performed in any conventional man- ^^^sses t he corresponding secret key x must be 

De i r n block 20 of digital signature algorithm 10 a deter- t0 «W« m « 

mination is made of g* mod p. It is known in the art to 30 \ he ultuna ^ purrK)se of venfication is to prove 

determine the quantity of block 20 and transmit this ™ * at ( r ' s > u was ongintlly created by one who hadknowl- 

quantity. However, this quantity can be quite long. f^geof the rvalue ofx which corresponds itc ^eparticu- 

Therefore, in block 25, the quantity of block 20 is re- ! * r value <> f v - Ifx not been comprormsed, this signer 

duced to a one hundred sixty bit image by reducing it * k™ wn to be the one whose identity is linked to the 

mod q as follows 35 particular y in an authenticated manner. Additionally, 

the recipient must know the global values g, p and q. 

,ra(g* mod p) mod q. Equation (6) Execution of algorithm 10 then proceeds by way of 

on-page connector 55 to start terminal 60. After receiv- 

In order to generate r as set forth in Equation (6), the ing message m as shown in block 65, along with its 

value g is determined as follows: purported signature (r,s), the recipient within the sys- 
tem of the present invention must verify both the re- 

g=/r'0>-i)/9mod/7, Equation (7) ceived r and the received s. It wUl be understood there- 

■■ . _ ^ ' * fore that within digital signature algorithm 10 the prior 

where h is any non-zero integer mod p such that m kefnel g k modpi& reduced mod q and transmitted. 

hCP-»/<is not congruent to 1 mod p. The value g may * mod fa then recovered ^ verified ^ 

be common to all users of digital signature algonthm 10. « » f ^ ^ ^ ^ ^ 

In Equation (6), p is a prime modulus, where A * reconstructed at the 

2 ; i <P<f! 2 ^ e P ni " e m0 ? ulu * ;J?™ y b " C °™ c rece Winged rather than transmitted by the sender, 

all users of digital signature algonthm 10. The value q is ™^JL^ A , . Q+ - „ • wo ;L ot A „ icinn 

a prime divisor of (p-1), where 2^<q<2"0 q ^ ™ trt ?°£ f detection .\ madc t . ftt deC * 10 " 
also be common to all users of digital signature alg<; 50 diamond 70 of algonthm 10 whether either s or r is 

nthm jo congruent to 0 mod q. If either r or s is congruent to 0 

Execution of digital signature algorithm 10 then pro- mod , * execution Proceeds to block 115 and the 

ceeds to block 30 where the quantity k~* mod q is wowed signature (r,s) is rejected by digital signature 

determined. This value will be useful in the determina- algonthm 10. If r and s are not congruent to 0 mod g, 
tion of the signature for transmission within the system 55 then the recipient proceeds with verification of the 

of digital signature algorithm 10. It will be understood received signature (r, s) as shown in dashed verification 

by those skilled in the art that all of the operations per- b°x 75. 

formed within digital signature algorithm 10 up to and Digital signature algorithm 10, upon entering dashed 

including the computation of block 30 are independent verification block 75, recovers g* mod p as shown in 
of message m. Thus, these computations may be made 60 dashed recovery block 80. It is known in the art to 

off-line, thereby permitting a greatly shortened on-line recover g* mod p after receiving a transmitted message 

signing procedure. because many prior art methods transmitted g* mod p 

Execution of digital signature algorithm 10 then pro- without any reducing prior to transmission. Within 

ceeds to block 35 wherein message m is hashed. This recovery block 80, the values of uj and U2 are deter- 
hashing of message m performed in block 35 provides 65 mined as shown in block 85. The values of block 85 are 

an output of one hundred sixty bits or less, denoted by determined as i/fWW" 1 mod g t and «2=(rX*) -1 

H(m). Many conventional hashing algorithms, suitable mod q. Determination of the values uj and U2 permits a 

for hashing message m as shown in block 35 of algo- determination of g* mod p from uj, uj, and y as set forth 
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in Equation (9). This determination is shown in block 
90. It will be understood by those skilled in the art that 
it is not known at this point whether the quantity recov- 
ered in block 90 is a legitimate g* mod p. However, The next step of hashing algorithm 150 is padding or 
execution of digital signature algorithm 10 proceeds on 5 extending message m so that its length in bits is congru- 
the assumption that it is legitimate and checks this as- ent t0 ^ modul0 512 » 88 shown « dashed padding 
sumption. Wock 15S * T^ 1 messa S e m is extended so that it is just 

sixty-four bits short of being a multiple of five hundred 

. twelve bits long. Padding of message m must always be 

v o <g) H i(y)«2 mod p Equation ( ) JQ performed within hashing algorithm 150, even if the 

-i/r w i length of message m is already congruent to 448, mod- 

[ = r iffl W mod, ulo 512. In the case where the length of message mis 

= (gW(«)+Jw)*(^(Hi)+^)-i modp already congruent to 448, modulo 512, five hundred 

. , , twelve bits of padding are added in dashed padding 

" ^ mod * ] - 15 block 155. 

Within dashed checkine block 95 the recovered In the paddmg of message m forth m P addin S 
witmn dashed cnecKmg wock uie r ^ ve f e * block 155, a single bit having a value of one is appended 
quantity g* mod p of Equation (9) is checked by first ° , . ° U1 . rr . 

j • • *t i r v • ui i im n. to message m as shown in block 160 within paddmg 

determining the value of w as shown in block 100. The . r , --5 , nma n m f 

i r t.r 1 ^/vrt • i , , T block 155. Then enough zero bits are appended to mes- 

value of block 100 is determined as w=v mod q. In eaM w . „ aitco , . . ifc , no ^ , m&eeofta m 
... • , „ . . 20 sage m to cause the length in bits of padded message m 

decision diamond 105 a detennination is made as to to % ecome ent » 448> modu ,n i2 as sho^ in 
whether the received value of r is equal to the mod q ^ , 65 t^*^ ^ of ddjjl block 155 
reduced value of g*mod q. where m,k,r and s satisfy the fc ^ ^ ^ idd differem 

relationship set forth in Equat.on (8), for the given ^ ^ tion £ dashed ^ din 

value of y. If the determination of decKion 105 is aflir- 2J ^ 155 ^ *. tf h wefe ^ on * 

mative, execution proceeds to verify block 110 where w - ^ zeros 

the signature (r,s) received in block 65 is considered Execution of ^hing algorithm 150 then proceeds to 
verified by digital signature algorithm 10. If the deter- ^ a ^ ^ ^ of fe 

mination of decision diamond 105 is negative^execution ded t0 the resoh of the appei T ding operations of 

proceeds to reject box 115 where the received signature 30 Mockf m 165 _ ft ^ ^ ^ 

p is the length 

(r,s) is rejected. . . - A . j of message m before the padding bits are added as set 

The security of digital signature algorithm 10 is de- forth m blocks m 165 ^ sixty . four bit representa- 
pendent upon maintaining the secrecy of private keys. ^ u appended ^ two thirty-two bit words, low-order 
Users of digital signature algorithm 10 must therefore WQrd flfSt In ^ unUkely event that ^ r than 
guard against the unauthorized disclosure of ^their pn- 35 2 « then only the i ow -order sixty four bits are appended 
vate keys. In addition, the hash function p of block 35 m bJock 170 At thjs sU m the execution of 
used to detennine the value of s must be selected such ^ 0Tithm 150 , the resulting padded message has a 
that it is computationally mfeasible to find any message len ^ h ^ k m exact multi le of five nundred twelve 
m which has a given hash value. Likewise, it should be bits Equivaiently, this padded message has a length that 
computationally mfeasible to find any pair of distinct ^ ism exact mu itiple of sixteen words where each word 
messages m which hash to the same value. is under stood to be thirty-two bits(.) Let M[u], 

Refernng now to FIG. 3, there is shown hashing o^u^iV-l, denote the words of the message resulting 
algorithm 150. A conventional algorithm such as algo- from processing m block 170, where p is a multiple of 
rithm 150 may be found, for example, in R. L. Rivest, sixteen. 

"The MD4 Message Digest Algorithm," Abstracts 45 Execution of hashing algorithm 150 then proceeds to 
Crypto '90, pp. 281-291. As previously described, the dashed me ssage digest block 175 where a four word 
signature and verification processes within digital signa- buffer is used to compute the message digest A, B, C, D. 
ture algorithm 10 require a secure hash algorithm which Each of the four words of the message digest A, B, C, 
takes an arbitrary length message as input and outputs a tj ^ a thirty-two bit register. In block 180 of message 
hash value of length one hundred sixty bits or less. 50 digest block 175 these registers are initialized to the 
Hashing algorithm 150 is suitable for perfonning the hexadecimal values shown in Table I, low-order bytes 
hashing function of digital signature algorithm 10 as set f^t. 

forth in block 35. It will be understood by those skilled taut f t 

in the art that conventional hashing functions other than Amr, 1 

hashing algorithm 150 may also be used to perform the 55 
hashing function of block 35 within digital signature 
algorithm 10. 

Execution of hashing algorithm 150 proceeds from ——————————— 

block 30 of digital signature algorithm 10 and begins at -i- * *a * *• * 

start terminal 152. Hashing algorithm 150 then receives 60 „ Thre ? T^f?,^ *\' & l' "5 d ?? d " 
as its input a b-bit message m to be hashed as shoWn in ^ » . b, 2f* 18 T 5 J auxiliary functions f,, f^ ft, are 
. , . -e- , * __. j„ „ „„.„„^ j- ^, A set forth in Table II. Each auxiliary function fi, ft, ft, of 

D it 5Sl£ El l?^? n TLt J* n receives as input three thirt^wo bit words X 
sage n, received in block 153 is an arbitrary non-nega- ^ LS^^K^X 
live integer. The value of p may be zero and it need not 65 ^^Z). f 2 (X,Y,Z). and ft(X,Y,Z) respectively, 
be a multiple of eight. Furthermore, b may be arbitrarily TABLE II 

large. The bits of message m may be described as fol- _ 
lows: fl(X, Y, Z) - XY V ( \X)Z 



Word A: 


01 


23 


45 


67 


Word B: 


89 


ab 


cd 


ef 


WordC: 


fe 


dc 


ba 


98 


Word D: 


76 


54 


32 


10 
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TABLE II-continued TABLE V-continued 



v/ w [BCDAll 19] 

f 2 (X, Y,Z) « XY VXZ VYZ [ABCD12 3] 

f 3 (X, Y, Z) ■« X6Y©Z [D ABC 13 7] 

, [CDAB 14 11] 

[B C D A 15 19] 



In each bit position of the input words X, Y, Z the 



auxibary funct.cn f, acts as a condmonal to implement ^ ^ ^ & w fc W5 round of 
the condition: ifX AenY else Z. In each bit position the the hashing algorithm 150 begins. In round two [A B, C, 

l^Z^YZ^^Z^^^i 10 Dit]deno g tes 8 the operation S(4+mcmlm+- 

least two of X, Y Z have a value of one, then ft has a 5A62m9)< <t ^ 0[)era , ion deno ted immediately 

one m that bit .on The auxihary funcuon ftapphes ^ b ' [A ^ C D i S| occurs sixteen times during 

the bit-w^ exclusive OR or parity function to each bit round t J 1 where ^ ^^^y b * 

position. If the bits of X, Y, and Z are independent and . a n n r\ ; ♦ «w,~~,*;*,-n, ;« 

r , . , ■ , l ^ /v v »r\ • • j j ■ » operands A, B, C, D. 1, and t respectively are given in 
unbiased, then each bit of fi(X,Y,Z) is independent and 15 y^We VI 
unbiased. Similarly the auxiliary functions f2(X,Y,Z) 

and f3(X,Y,Z) are independent and unbiased if the bits TABLE VI 

of X, Y, and Z are independent and unbiased. 

Hashing algorithm 150 initializes the loop induction 
variable n to zero in block 186, and then sets the current 20 
values of the array X[j] for O^j^ 15 in block 187 and 
performs a set of three rounds of hashing as shown in 
blocks 190, 195, 197, where array X[j] is updated and 
three rounds of hashing are performed a total of N/16 
times. In rounds two and three, hashing algorithm 150 25 
uses constants. The round two constant is the square 
root of two and the round three constant is the square 
root of three. The values of these constants, with high- 
order digits given first, are set forth in Table III. 

TABLE III 30 



[A B C D 0 


3] 


[DABC4 


5] 


[C D A B 8 


9] 


[BCD A 12 


13] 


[ A B C D 1 


3] 


[DABC5 


5] 


[C D A B 9 


93 


[BCD A 13 


13] 


[A B C D 2 


3] 


[DABC6 


5] 


[C D A B 10 


9] 


. . \ [BCD A 14 


13] 


[ABCD3 


3] 


(DABC7 


5] 


[CDAB 11 


9] 


[BCD A 15 


13] 





Octal 


Hex 


Round 2 constant ( NIT ) 


013240474631 


5A827999 


Round 3 constant ( NT ) 


015666365641 


6ED9EBA1 



TABLE VII 



When execution proceeds to block 197, round three 
of the hashing algorithm 150 begins. In round three [A 
„ B CDi t] denotes the operation A=(A+MB,Q /))+ A% 
[i\+6ED9EBA\) <<<t. The operation denoted im- 
mediately above by [A B C D i t] occurs sixteen times 
during round three, where the values assumed consecu- 
Each of the N/16 sets of three rounds begins with tively by operands A, B, C, D, i, and t respectively are 
execution of the instruction sequence in Table IV as given in Table VII. 
occurs in block 187, where the value of n denotes the set 
currently being processed. The sets are indexed by 0 to 
(N/16)-l. 

TABLE IV 

Set X[j] to M[n*16 + j], for j = 0, 1, . . . , 15. 45 
Save A as AA, B as BB, C as CC, and D as DP. 

When execution of hashing algorithm 150 proceeds 
to block 190 and round one of the bashing occurs, [A B 
CD i t] denotes the operation A =(A+f\(B,QD)+X[t\- 50 
)< < < t. It will be understood by those skilled in the art 
that (A<<<t) denotes the thirty-two bit value ob- 
tained by circularly shifting or rotating A left t bit posi- 
tions. The operation denoted above generically by [A B 
C D i t] occurs sixteen times during round one, where 
the values assumed consecutively by operands A, B, C, After round three is complete, execution of hashing 
D, I, and t respectively are given in Table V. algorithm 150 within block 35 of digital signature algo- 

TABLE V rithm 10 proceeds to block 199 wherein the following 

00 additions are performed: 



55 



[A B C D 0 


3] 


[D ABC8 


9] 


[C D A B 4 


11] 


(BCD A 12 


15] 


[A B C D 2 


3] 


[DABC10 


9] 


[C D A B 6 


11] 


[BCDA J4 


15] 


[A B C D 1 


3] . 


[D A B C 9 


9] 


[C D A B 5 


11] 


[BCD A 13 


15] 


[A B C D 3 


3] 


[DABCU 


9] 


[CDAB7 


U] 


[BC D A 15 


15] 



[A B C D 0 


3] 


P ABC 1 


7] 


[C D A B 2 


11] 


[B C D A 3 


19] 


[A B C D 4 


3] 


[DABC5 


7] 


[C D A B 6 


11] 


[B C D A 7 


19] 


[A B C D 8 


3] 


[D A B C 9 


7] 


[CDAB10 


11] 



65 



A = A + AA 
B = B + BB 
C = C + CC 
D = D + DD 



Thus, each of the four registers A, B, C, D which 
together ultimately form the digest of the received mes- 
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sage is incremented by the value it had before the par- 6. The method for generating a digital signature (r,s) 

ticular set was started. of claim 1, wherein steps (a)-(c) are performed prior to 

The message digest produced as the output of hashing knowledge of said message m. 

algorithm 150 within digital signature algorithm 10 is 7. The method for generating a digital signature (r,s) 

thus the 4-tuple of values of A, B, C, D obtained in 5 of claim 1, comprising the further step of transmitting a 

block 199 after processing the last set. The loop indue- signed message formed of said message m and said digi- 

tion variable is incremented in block 201 and tested in tal signature (r,s). 

decision diamond 202. If execution is not complete 8. The method for generating a digital signature (r,s) 

block 187 is performed again. Otherwise execution of 0 f claim 7, comprising the further steps 

algorithm 150 proceeds to exit terminal 203. 10 ^ receiving said transmitted signed message includ- 

It will be understood by those skilled in the art that mg a received digital signature (r,s) with a received 

more than one hundred twenty eight bits of output may value r and a received value s; and, 

be required in some applications. This may be accom- (h) verifying said received digital signature (r,s). 

plished, for example, by providing two systems in paral- 9, The method for generating a digital signature (r,s) 

lei wherein each of the parallel systems executes hash- 15 c f claim 8, wherein step (h) comprises the step of recon- 

ing algorithm 150 with appropriately chosen constants structing said g* mod p of step (c) to provide a recov- 

and initialized registers, in order to provide at most two erec j g* mCK j p ( 

hundred fifty six bits of final output. 10 , The method for generating a digital signature (r,s) 
Although an example mode, which includes specifi- 0 f claim 9, comprising the step of detenmning a value v 
cation of parameter range restrictions, for carrying out 20 proceeding from a value U i=(H(m))(s)-i mod g and a 
the present invention has been herein shown and de- value U2= ( r ) (j )-i mod g according to the rule 
scribed, it will be apparent that modification and varia- 
tion may be made without departing from what is re- v**(g) u *(yy& mod p 
garded to be the subject matter of this invention. 

1 claim: 25 wherein said value y is congruent to g x mod p and said 
1. A method for generating a digital signature (r,s) of value x is a secret value. 

a message m in a system wherein information is trans- n. The method for generating a digital signature (r,s) 

mitted and received by users of said system, comprising of claim 10, comprising the step of determining whether 

the steps of: said determined value v after reduction mod q is the 

(a) providing a secret value k unique to said message 30 same as said received value r. 

m ; 12. The method for generating a digital signature (r,s) 

(b) providing a public value g; 0 f claim 11, comprising the further step of detennining 

(c) calculating said value r proceeding from a prime ma t said received digital signature (r,s) is verified in 
modulus p and a value g selected to be a prime response to determining that said determined value v 
divisor of p - 1 according to the rule a f ter reduction mod q is the same as said received value 

r~(g k mod p) mod g; ft 

13. The method for generating a digital signature (r,s) 

(d) applying a hashing transform H only to said mes- of 8( wherein step (h) further comprises the step 
sage m to generate a transformed message H(m); of determining whether said received value r is congru- 

(e) calculating said value s according to the rule ent t 0 q moc j g 

s=j{H(m)) where said value s is a function of m w The method for generating a digital signature (r,s) 

only by way of said transformed message H(m); of claim 8( wne rein step (h) further comprises the step 

/v am *' «... of determining whether said received value s is congru- 

(0 generating a signal representative of said digital ent t0 0 mo d g 

signature (r,s) in accordance with said value r and 15, a system for generating a digital signature <r,s) of 

said value s and transmitting said generated signal a mes m wherein information is transmitted and 

2 The method for generating a digital signature (r,s) b ^ Qf ^ comprising; 
of claim 1, wherein step (a) composes the step of ran- a ^ yalue k uni tQ ^ m 

domly selecting said secret value k. a public value £* 

3 The method for generating a digital signature (r,s) ^fo^ m ^ for a p p!ying a hashing transform H 
of claim 1, wherein step (b) comprises the step of calcu- * "~ .A^^^ Z f ~T e £™~i 
t -j 1 j- * 1 i_ i_- i_ only to said message m to generate a transformed 
lating said value g proceedmg from a value h which w V 

may be any non-zero integer such that h(P- ! V9 is not message p , 

congruent to 1 mod p according to the rule „ meanS for ^ulatmg said value r proceedmg from a 

55 prime modulus p and a value q selected to be a 

g =h(p- i)/fl mo( j p , prime divisor of p — 1 according to the Tile 

4. The method for generating a digital signature (r,s) r=(s * mod p) mod * 
of claim 1, wherein step (d) comprises the step of trans- , , . 

forming said message m by applying a one-way trans- « means for j^cuhting said value s according to the 

form H to said message M. ™ ]e s=AH(m)) where said value s is a function of 

5. The method for generating a digital signature (r,s) ^ message m only by way of H(m); 

of claim 1, wherein step (e) further comprises the step of generating means for receiving said calculated values 

calculating said value s according to the rule of r and s and generating a signal representative of 

65 a signed message formed of said message m and 

j=Jt* 1 (H(m)+xr) mod g said digital signature (r,s); and, 

transmitting means for transmitting said generated 

wherein said value x is a secret value. signal. 
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16. The system for generating a digital signature (r,s) wherein F is a reduction function independent of 
of claim 15, wherein said secret value k is randomly said message m; 

selected. (d) receiving a signed message formed of said mes- 

17. The system for generating a digital signature (r,s) sage m and said digital signature (r,s); 

of claim 15, wherein said public value g is calculated 5 ( e ) recovering and isolating g* mod p in accordance 

proceeding from a value h which may be any non-zero with said message m; 

integer such that h<P- is not congruent to 1 mod p (f) determining whether said isolated g* mod p after 

according to the rule reduction according to said reduction function F is 

the same as said received value r; 

*~ h mod p ' 10 (g) detennining that said signature (r,s) is verified in 

' « m „ , x accordance with the determination of step (ft; and, 

18 pe ^stem for generating a digital signature (r,s) ^ atin a verification dgnal fa accordance 

of claim 15, wherein said transform means comprises ^ fe) and transmitting ^ d verification 

one-way transform means for transforming said mes- signal 

sage m by applying a one-way hashing transform H to 15 „ method for generating and verifying a digital 

sal ,„ n lff sag? m ' . . .. . . . . , . signature (r,s) of claim 28, wherein step (b) comprises 

19. The system for generating a digital signature (r s) ^uta^J val(je ' ^ ^ , ^ h 
of claim 15, wherein a value x is a secret value and said Y <" ut e f'"**«""b 

value s is calculated according to the rule wl » ch ■»? »°n-zero integer such that hO>-»/«.s 

2 0 not congruent to 1 mod p according to the rule 

,-*-'CflW>+»> mod * f .*fr-n/f mod , 

20. The system for generating a digital signature (r,s) . . _ . . , A . A . . ^ . , « 
of claim 15, wherein said values k, g, and r are deter- q ^ * Iectod t0 * a P™ 6 oi >T ! : 
mined independently of said message m. 25 . 30 ™ e ™ th od generating and verifying a digital 

21. The system for generating a digital signature <r,s) signature (r,s) of claim 28, wherein step (a) comprises 
of claim 15, further comprising: randomly selecting said secret value k. 

means for receiving said transmitted signed message; 31 ^ method for generating and verifying a digital 
and signature (r,s) of claim 29, wherein said reduction func- 

verifying means for verifying said digital signature 30 tion F comprises reduction mod q. 

( r s ) 32. The method for generating and verifying a digital 

22. The system for generating a digital signature (r,s) signature (r,s) of claim 29, further comprising the step of 
of claim 21, wherein said verifying means further com- determining a value v proceeding from a value 
prises means for reconstructing said g* mod p to pro- ui=(H(m)) (s)" 1 mod q and a value 112 ^Wto' 1 mod Q> 
vide a recovered g* mod p within said verifying means. 35 according to the rule 

23. The system for generating a digital signature (r,s) 

of claim 22, further comprising means for determining a f-^iy)" 2 mod p 
value v proceeding from a value u \ = (H(m))(s) - 1 mod q 

and a value U2-M0- 1 mod q according to the rule where ^ value y 15 congruent to g* mod p and said 

40 value x is a secret value, 

it v*=(g) li (y) u2 mod p 33. The method for generating and verifying a digital 

wherein said value y is congruent to g* mod p and said signature (r,s) of claim 29, further comprising the step of 

value x is a secret value. calculating said value r proceeding from a prime modu- 

24. The system for generating a digital signature (r,s) lus p, according to the rule 
of claim 23, further comprising means for determining 45 

whether said determined value of v after reduction mod m«* p) 100(1 v 
q is the same as said received value r. 

25. The system for generating a digital signature (r,s) prior to knowledge of said message m. 

of claim 24, further comprising means for detennining 34. The method for generating and verifying a digital 

that said signature (r,s) is verified in response to deter- 50 signature (r,s) of claim 28, further comprising the step of 

mining that said value v after reduction mod q is the calculating said value s according to the rule s=J{H(m)) 

same as said received value r. where H is a hashing transform for producing a trans- 

26. The system for generating a digital signature (r,s) formed message H(m) and said value s is a function of m 
of claim 21, wherein said verifying means comprises only by way of said transformed message H(m). 
means for detennining whether said value r is congru- 55 35. The method for generating and verifying a digital 
enttoOmodq. signature (r,s) of claim 34, comprising the step of trans- 

27. The system for generating a digital signature (r,s) forming said message m by applying a one-way trans- 
of claim 21, wherein said verifying means comprises form H to said message m. 

means for detennining whether said value s is congru- 36. The method for generating and verifying a digital 

ent to 0 mod q. 60 signature (r,s) of claim 29, further comprising the step of 

28. A method for generating and verifying a digital calculating said value s according to the rule 
signature (r,s) of a message m in a system, comprising 

the Steps of: l Wm) =xr) mod q 

(a) providing a secret value k unique to said message 

m; 65 wherein said value x is a secret value. 

(b) providing a public value g; 37. The method for generating and verifying a digital 

(c) determining said value r proceeding from a prime signature (r,s) of claim 36, comprising the step of deter- 
. . modulus p according to the rule r^Ftg* mod p) mining k _1 prior to knowledge of message m. 
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38. The method for generating and verifying a digital 
signature (r,s) of claim 28, wherein steps (a)-(c) are 
formed prior to knowledge of said message m. 

39. The method for generating and verifying a digital 
signature of claim 36, comprising the further step of 
transmitting a signed message formed of said message m 
and said digital signature (r,s) proceeding from said 
calculated value of s, 

40. The method for generating and verifying a digital jq 
signature (r,s) of claim 29, wherein step (g) further com- 
prises the step of determining verification in accordance 
with a determination whether said received value r is 
congruent to 0 mod q. 

41. The method for generating and verifying a digital I 5 
signature (r,s) of claim 29, wherein step (g) further com- 
prises the step of determining verification in accordance 
with a determination whether said received value s is 
congruent to 0 mod q. 2Q 

42. The method for generating and verifying a digital 
signature (r,s) of claim 5, wherein k -1 is determined 
prior to knowledge of said message m. 

43. The system for generating and verifying a digital 
signature (r,s) of claim 19, wherein k _I is determined 25 
prior to knowledge of said message m. 
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16 

44. A system for generating and verifying a digital 
signature (r,s) of a message m wherein information is 
transmitted and received by user of said system, com- 
prising: 

a secret value k unique to said message m; 
a public value g; 

means for determining said value r proceeding from a 
prime modulus p according to the rule r — Ffg* mod 
p) wherein F is a reduction function independent of 
said message m; 
means for receiving a signed message formed of said 

message m and said digital signature (r,s); 
means for recovering and isolating g*mod p in accor- 
dance with said message m; 
comparison means for detennining whether said iso- 
lated g* mod p after reduction according to said 
reduction function F is the same as said received 
value r; 

verification means for determining that said signature 
(r,s) is verified in accordance with the determina- 
tion of said comparison means; 
means for generating a verification signal in accor- 
dance with the verification of said verification 
means; and, 
means for transmitting said verification signal. 
***** 
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[57] ABSTRACT 

In a data exchange system working with processor chip 
cards, a chip card transmits coded identification data I, 
v and, proceeding from a random,cdiscrete lpgarithmir,-? 
an exponential value x=2 r (mod p)~to~the~subscriber 
who, in turn, generates and transmits a random bit se- 
quence e to the chip card. By multiplication of a stored, 
private key s with the bit sequence e and by addition of 
the random number r, the chip card calculates a y value 
and transmits the y value to the subscriber who, in turn, 
calculates an x value from the information y, v/and e 
and checks whether the calculated x value coincides 
with the transmitted x value. For an electronic signa- 
ture, a hash value e is first calculated from an x value 
and from the message m to be signed and a y value is 
subsequently calculated from the information r, syand e. 
The numbers x and y then yield the electronic signature 
of the message m. 
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METHOD FOR IDENTIFYING SUBSCRIBERS 
AND FOR GENERATING AND VERIFYING 
ELECTRONIC SIGNATURES IN A DATA 
EXCHANGE SYSTEM 

BACKGROUND OF THE INVENTION 
1. Field of the Invention : 

The present invention relates to a method for identi- 
fying subscribers and for generating and verifying elec- 
tronic signatures in a data exchange system working 
with processor chip cards, using identification data 
coded in a center with respective subscriber-related 
known ciphers and stored in the respective chip card 



10 



ture are therefore invariably linked via the key algo- 
rithm. 

The utilization of modern cryptographic equipment is 
intimately connected to the introduction as what are 
referred to as multi-functional processor chip cards. 
The processor chip card not only enables versatile ap- 
plications but is also employed for accepting the neces- 
sary security components (secret key and cryptoal- 
gorithm) in order to guarantee an identification of the 
user and a reliable authentication of the card and of the 
message exchanged. 

Presently known algorithms for electronic signatures, 
particularly the RSA algorithm (in this connection see 
U.S. Pat. No. 4,405,829), fully incorporated herein by 



and with secret ciphers having a logical relationship to 15 this refer ence or the algorithm developed by A. Fiat 



and A, Shamir (European patent application Ser No. 
0,252,499) require either a high memory outlay or, inso- 
far as they can be accommodated at all in the. chip be- 
cause of extensive and complicated arithmetic opera- 
Important prerequisites for data security in modern 20 tions ' Particularly, multiplications, require a great deal 

of time, so that they are only conditionally suitable for 
utilization in chip cards. 



the known ciphers, whereby random number-depend 
ent check data are mutually exchanged between the 
subscribers. 
2. Description of the Prior Art 



communication systems are: 

(a) the mutual identification of the communicating 
partners participating in the system; 

(b) the authentication of the transmitted and stored ^$ 
data; 

(c) the coding of the transmitted and stored data; and 

(d) checking the authorship of the transmitted data. 
As is known, a high degree of data security can only 

be achieved by utilizing cryptographic methods that 30 
enable an identification and authenticity check of mes- 
sages, subscribers and equipment beyond all doubt. 
What is generally understood by cryptography is a 
coding of the data for secrecy purposes. In addition to 
this doubtlessly-important crypto function, however, 35 
other functions, particularly checking the authenticity 
and authorship or generating electronic signatures are 
gaining increasing significance. 

Symmetrical or asymmetrical coding algorithms can 
be employed for realizing cryptographic functions. 40 
Given a symmetrical algorithm, for example the DES 
algorithm (data incryption standard), identical keys are 
employed for coding and decoding. Symmetrical cryp- 
tosystems are particularly suitable when larger data sets: 
have to be transmitted at a high rate. By contrast, disad- 45 
vantages derive due to a relatively difficult cryptoman- 
agement because the transmitter and the receiver must 
have the same key and a reliable channel is required for 
the transmission of the key respectively employed, 



SUMMARY OF THE INVENTION 

It is therefore an object of the invention to provide 
methods for mutual identification of subscribers of data 
exchange systems and for generating signatures that, 
g iven essenti ally the same security guarantees, enable 
shb^er-run^tim 

tions, in comparison to known cryptographic methods. 

The above object is achieved, according to the pres- 
ent invention, in a method for mutual identification of 
subscribers in a data exchange system working with 
processor chip cards, utilizing identification data coded 
in a center with respective subscriber-related known 
keys and stored in the respective chip card and with 
secret keys having a logical relationship to these known 
keys, whereby random number-dependent check data 
are mutually exchanged between the subscribers, and is 
particularly characterized in that the chip card sends 
the coded identification data, potentially together with 
a signature of the center, to the subscribers entering into 
an information exchange with the chip card, this sub- 
scriber checking the correctness of the coded identifica- 
tion data with reference to a known list or with refer- 
ence to the signature of the center, then proceeding 
from a random, discrete algorithm rc(l, . . . ( p— 1), 
where p is a declared prime number modulus, the chip 



In asymmetrical cryptosystems, different ciphers are 50 ^ ? rms J an 1 _ x v ^»ue according to the rule x: = 2'(mod 

p) and sends this x value to the subscriber, after which 
the subscriber sends a random bit sequence e^e/,*/. . . 
» eu,Jfc)€{0,l} Af to the chip card, and by multiplication of 
the^ stored secret key sy that likewise represents^a-disr^ 



employed for coding and decoding, such that, for exam- 
ple, the key for coding is known and the key for decod- 
ing is secret. The latter is only known to the receiver. 
On asymmetrical cryptosystems, for example, the RSA 



algorithm named after the inventors Rivest Shamir and 55 

bitsnpf t he random~ bit"sequence:eJransmtttedJrpjn the 



sute<niberWthe-ch^ 
dom^njbe^^dlccate^ : to^tfi 

valuer the chip card calculates a number ^accord irTg to 
the rule 



Adlemann that requires a comparatively high techno- 
logical outlay and correspondingly long run times de- 
pendent on the length of the cipher employed but that 
satisfies high security requirements on the basis of the 
special cryptosystem. The asymmetrical cryptosystem 60 
is ideally suited for assigning a message to be transmit- 
ted. The message to be signed is thereby coded with the 
secret key of the signee and can be decoded by anyone 
that knows the public key. This "electronic signature'* 

not only contains the personal feature (possession of . 65. and transmits the number y to the subscriber, then with 
private or secret key of the signee but also involves the reference to the number y transmitted to the subscriber, 
signed text, with the consequence that the receiver the subscriber calculates a number x according to the 
recognizes any change in the text. Message and signa- rule 



k 



ii^ 2 " 



(mod p*l) 
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(mod p) 



by a random selection (r fl {/>, x^,-)) of the pairs for i = l, . 
..,t 



V rr v; X 



and checks the identity of the chip card user on the basis 
of a comparison between the calculated number x and 
the x value previously communicated to the subscriber. 

According to another feature of the invention, the 
method is particularly characterized in that the chip 
card calculates a x value according to the rule 
x:=2 r (mod p) from a random number r generated in the 
chip card and lying in the range between l and the 
prime number modulus (p — l), that the chip card calcu- 
lates a random bit sequence as a function of the x value 
of the message m and of a declared hash function h 
according to the rule e:=h(x t m)"{0,l} A ', that the chip 
card calculates a y value from the random number r, 
from the secret ciphers sy stored in the chip card and 
from the random bit sequence e according to the rule 



2 
i— I 



(mod p*l) 



(mod p) 



10 



15 



According to another feature of the invention, a 
method is particularly characterized by such a selection 
of the prime number modulus p that (p— I) is divisible 
by a prime number q and by such a selection of the base 
a of the discrete logarithm that 

a'=j I {mod p), a^\{mod p) 



k t 
y: = r + 2 s i 2 < 
7=1 ; /=l 



i2M 



applies, and in that the discrete logarithms y, r, s; are 
20 calculated modulo q, and in that the key components sj 
and v/are in the relationship vy=atf(mod p). Then a 
(mod p-i) plays the role of the base 2 above. 

According to another feature of the invention, a 
method is particularly characterized by such a selection 
and that the chip card sends the message m and the 25 of the secret 

signature formed from the value x and y to the sub- key sj and of the random numbers r that the bit 
scriber in message communication with the chip card. lengths of the numbers sy, r and y are shorter than the 

According to another feature of the invention meth- length of the prime number modulus p, 
ods can be accelerated by discrete logarithms calculated According to another feature of the invention, a 
in a preliminary process and intermediately stored, 30 method is particularly characterized in that other finite 



whereby values once employed are combined in a ran- 
dom fashion with other discrete logarithms in a rejuve- 
nation process. This is exemplified by a method of the 
type set forth above which is particularly characterized 
in that a plurality of random numbers r, and respec- 35 
tively appertaining x values calculated in a preliminary 
process are stored in pairs in the chip card, in that the 
pair (r, x) employed in an identification procedure and- 
/or signature procedure is varied in such a manner that 
a random number r, after use thereof, is combined with 40 
a random selection of the remaining stored random 
numbers, and in that the rejuvenated random number 
calculates the appertaining x value and is stored and/or 
used together with the rejuvenated random number r as 
a rejuvenated pair. 45 

A method for verification of a signature generated 
according to the second-mentioned feature is particu- 
larly characterized, with respect to the subscriber re- 
ceiving the signed message m, in that: 

a random bit sequence e is calculated from the mes- 50 
sage m and from the x value of the signature according x = V 

to the rule e:=h(x ,m)e{0,I}*', 

that an x value according to the rule 



groups are employed for the formation of discrete loga- 
rithm instead of the finite groups that arise on the basis 
of residual class formation modulo p. 

According to another feature of the invention, a 
method is particularly characterized in that a group of 
units Zn of the invertible residue classes modula a com- 
posite number n, a group of units of a finite body, an 
elliptical curve over a finite field or the like are pro- 
vided as a finite group. Then this finite group plays the 
role of the group Z p *. 

According to another feature of the invention, a 
method for verifying an abbreviated signature gener- 
ated according to the third-mentioned feature at the 
subscriber receiving the signed message m, is particu- 
larly characterized in that: 

a number x is calculated from the transmitted message 
m and from the signature (e, y) according to the rule 



(mod p) 



ir vi 2 



■■ 2y it 



(mod p) 55 



is calculated from the random bit sequence e, from the 
public key v and from the y value of the signature and 
is checked to see whether the calculated x value coin- 
cides with the x value of the signature. 

With respect to rejuvenation, according to another 
feature of the invention, a method is particularly char- 
acterized in that a plurality of random numbers r/, . . . , 
U and their appertaining x values, x v =2 /v (mod p), are 65 
stored in the chip card, and in that the pair of numbers 
(r, x) used in an identification procedure and/or signa- 
ture procedure is rejuvenated in the following manner 



and that a check is carried out to see whether the e 
value of the signature coincides with the value h (x, m). 

The problem to be solved in practicing the present 
invention is comprised in the difficulty of calculating 
the discrete logarithm. Other, known asymmetrical 
cryptomethods are also constructed on this foundation 
60 (for example reference may be taken to T. ElGamal, "A 
Public Key Cryptosystem and a Signature Scheme 
Based on Discrete Logarithms", IEEE Transactions on 
Information Theory, Vol. 31, 1985, pp. 469-472; D. 
Chaum, J. H. Evertse, J. van de Graaf, "An Improved 
Protocol for Demonstrating Possession of Discrete 
Logarithms and some Generalizations", Proceedings of 
Eurocrypt *87, Lecture Notes in Computer Science 304, 
(1988), pp. 127-141; T. Beth, "A Fiat-Shamir-like Au- 
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thentication Protocol for the ELGAMAL Scheme", ship between the public key v and the identification 

Eurocrypt '88 Abstracts, pp. 41-47). Compared to the string I and monitors the signature of the center in this 

known cryptomethods, the present invention has. the manner. The public key v=(v/. . . v*) has a logical 

advantage that the arithmetic operations can be com- relationship to the secret key s=(s/. . .s*) and is defined 

paratively more simply executed in the chip card. This 5 as 
occurs particularly due to the set preliminary process. 

This preliminary process can also be combined with the vj^i-^mod p) for y= i 

mentioned cryptosystems of ELGAMAL, CHAUM- where p is a prime number that is at least 512 bits long. 
EVERTSE-van de GRAAF and BETH. In addition, As soon as the secret key s is selected, the correspond- 
especially short signatures can be generated in practic- 10 ing public key v can be easily calculated. The inverse 
ing the present invention. process— calculating the secret key s from the public 

BRIEF DESCRIPTION OF THE DRAWINGS key v-l3caimot be implemented because the calculation 

of the discrete logarithm modulo p for such large prime 

Other objects* features and advantages of the inven- numbers p is beyond the range of present computers and 

tion, its organization, construction and operation will be 15 algorithms. The component s/of the secret cipher is the 

best understood from the following detailed descrip- discrete logarithm modulo p off;-', i.e. 
tion, taken in conjunction with the accompanying 

drawings, on which: SJ „ -logiv/modp- 1) forj= i k. 

FIG. 1 is a block diagram of the identification of a 

subscriber in accordance with the present invention; 20 All discrete logarithms refer to the group ZZ* P (the 

FIG. 2 is an illustration of the method steps of the multiplicative group modulo p) and, insofar as not oth- 

invention in the generating of a signature of a message erwise noted, to the base 2. Since the order of the group 

to be transmitted; Z/ is p- 1, the discrete algorithm assumes the value 1, 

FIG. 3 is a diagram of the steps for checking* signa- 2 , . . .p- 1. Instead of the finite groups that arise due to 

ture generated according to FIG. 2; 25 res idual formation modulo p, other finite groups can 

FIG. 4 is a diagram of the method steps .of the present also be emp t 0 yed for the formation of the discrete loga- 

invention in generating an abbreviated signature; and rithmj such ^ for exampIe , the group of Z/r « of invert . 

FIG. 5 i is a diagram of the steps used m the checking ible residue dasses reIative to ft c0 osite number n , the 

of the abbreviated signature generated according to grQup of unhs of a finite field( an elliptic curve over a 

finite field, etc. Knowledge of the group order is not 
DESCRIPTION OF THE PREFERRED required for transferring the method to an arbitrary 

EMBODIMENTS finite group. For example, it is adequate to calculate 

In FIG. 1, an example is illustrated how a subscriber wi,h , * e discrete lo e^ iims ° n the ° rder ° f magnitude 
A, for example a chip card belonging to the subscriber, 35 : , "... . . ... 

proves his identity vis-a-vis a subscriber B, for example After the subsenber A generates in 

a chip card terminal. record ste P a random, number 

In a data exchange system working with chip cards, 
the respective user-related chip cards are issued by one n p 

or, potentially, more classification centers (government 40 corresponding exponential value 

representatives, credit card companies or the like), ™ 2r( ^" ci> P 0 " ui "b «P"»cnutti 
whereby the issue of the chip cards is not instituted until x ^ m0 

the identity of the respective user has been checked. ~« . • ^ • , . . 

The center then prepares a personal identification string ?* mver * e anthmetic process, i.e. calculating the ran- 
I for a qualified user (name, address, ID number, etc), 45 dom number r from the x value is extremely difficult 
attaches the user-related, public key to this identifier msofar 35 P 18 adequately large, The subscriber B there- 
tion string I, this key having potentially been generated fore has Poetically no possibility of discovering the 
by the user himself, and publishes the pair formed- of random number r in the time available to him. This x 
identification string I and the public key v in a publical- vaIue calculated at the subsenber A is transmitted to the 
ly-accessible list. The center itself does not see the se- 50 subscriber B, i.e. to the terminal. Like the aforemen- 
cret key s and can therefore likewise not disclose the tioned secret key s y , the random number r is a discrete 
same. The identification string I, the public and secret logarithm. Following therefrom is that calculations at 
keys v, s as well as a declared prime number p are stored the side of the chip card are carried out with discrete 
in the chip card before the card is issued. logarithms and are carried out with the corresponding 

Instead of using a public list, the center can sign each 55 exponential value at the cooperating side, i.e. in the 
pair (I,v). This signature is stored in the chip card and terminal of the subscriber B. 

can be easily checked with the assistance of the public Generating the random number r and the exponential 

key of the center. After the chip cards and/or the public value 

list have been issued, no further interaction with the 

center is necessary, neither for generating nor for 60 x:=*i r {mod p). 

checking signatures and identifications. derived therefrom can be advantageously accelerated 

The identification begins with what . is referred to as by a preliminary process that offers and regenerates a 
an initiation. The subscriber A or, respectively, the chip supply of a plurality of pairs each composed of a ran- 
card thereby sends an identification string I and the dom number r and the appertaining x value in the chip 
public key v to the subscriber B or; respectively, to the 65 card. This supply can be set up in the chip card itself or 
appertaining terminal that verifies the identity. Differ- can be externally loaded into the chip card. In an initi- 
ing from known cryptomethods, the public key is veri- ated identification process, one of these pairs can there- 
fied in the terminal, i.e. the terminal checks the relation- fore be immediately accessed, so that the respective x 
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value can be immediately transmitted to the subscriber 
B. 

In the next step, the subscriber B now sends a random 
bit sequence 

5 

* «(*/.*.... fi.*)e{a I }*' 
to the subscriber A or, respectively, to the chip card. 

After receiving the random bit sequence e, the chip 
card sends a linear combination of the secret key sy 
stored therein — a linear combination dependent on the 10 
bits of a random bit sequence e — , adds the current 
random number r thereto and transmits the numerical 
value y 



8 



3. Finally, the subscriber A calculates a y value from 
the components of the secret key sy, random bit se- 
quence or, respectively, hash value e and random num- 
ber r according to the relationship 



(mod p-l) 



■ = r + 2 sj 



2 i-\ 



(mod p-l) 13 



formed in this manner to the subscriber B. 

The subscriber B now checks whether the y value 
sent to him is the correct answer to the question raised, 
the subscriber A having been asked this question by the 
subscriber B sending the random bit sequence e. In this 
check, the subscriber B calculates the right-hand part of 
the following equation. 



20 



25 



'V^ii^" 



(mod p) 



30 



35 



40 



and determines with reference to_a comparison whether 
the calculated numerical value x coincides with the x 
value already previously received from the subscriber 
A. This task to be carried out at the subscriber B is, in 
fact, relatively involved; because of the adequate com- 
puter performance usually present in the terminal, it can 
be carried out in a relatively short time. The identifica- 
tion check is therefore terminated, so that the subscriber 
A can initiate further measures insofar as the subscriber 
B identified a coincidence of the two x values. 

By incorporating a message m t the described identifi- 
cation of the subscriber A can be expanded into an 
electronically-generated signature of the subscriber A 
under the message m. This electronic signature allows 
the subscriber B to document the identity of the sub- 45 
scriber A vis-a-vis a third party, for example a judge. In 
addition to this, it allows the proof that the subscriber A 
has signed the message m beyond all doubt. The follow- 
ing steps must be carried out (see FIG. 2) in order to 
sign a message m given utilization of the secret key sy 50 Sequence 
stored at the subscriber A, i.e. in the chip card: 

1. The subscriber A again selects a random number r 
and, as already set forth in conjunction with the identity 
check, calculates a x value according to the relationship 



The number pair x, y then yields what is referred to as 
the electronic signature of the message m. The two 
security numbers k and t preferably lie in the range 
between 1 and 20. They yield a security level 2*', i.e. at 
least 2 kt multiplications (modulo p) are needed for coun- 
terfeiting the signature or, respectively, the identity. 
For example, k= 1 and t=72 yields a security level 2 72 
that is adequate for signatures. 

Proceeding on the basis of this signature formed by 
the number x and y, whereby both numbers are at least 
512 bits long, various possibilities of abbreviating the 
signature derive. One of the possibilities provides that 
the number x be replaced by the hash value e=h(x, m) 
that is only 72 bits long. The signature is now composed 
of only y and e values (see FIG. 4). A next step is com- 
prised in no longer taking the numbers y, r, s/in the size 
of the modulo p, but of only small numbers for y, r, sy 
that, however, are at least 140 bits long for the security 
level 2 72 . An especially simple possibility of achieving 
short signatures is comprised therein that the prime 
number modulus p is selected such that a second prime 
number q divides the value (p— 1), whereby q is 140 bits 
long. The base 2 is then replaced by a number a, so that 



al~ \{mod p), a^Mmod p) 

applies. It follows therefrom that all discrete logarithms 
can be calculated modulo q, i.e. logarithms for the se- 
lected number a are calculated, whereby all logarithms 
can then lie in the range from 1 through q. This has the 
advantage that a number that is smaller than q derives 
for the y value of the signature. Proceeding from the 
random number r 

rc{l,.-.. 4-1}, 



a r {mod p) 



calculated therefrom as well as from the arbitrary bit 



e:=h(x .m)e{0.l}*' 



and from the number y 



x:—2 r {mod p). 

Here also, of course, there is the possibility of accessing 
the stored supply and directly calling in the random 
numbers r and the appertaining x value. 

2. The subscriber A now forms a hash value e from 
the message m and from the calculated x value or, re- 
spectively, from the x value taken from the supply, 
according to the relationship 

*«A(jr.m)<{0.]}*' 

where h is thereby a publicly known hash function 
having values in {0,1}*'. 



55 



k t 
- = r + I si 7. 

y=i J i= 1 



(mod q) 



60 



65 



calculated therefrom, a total length of 212 bits now 
derives from the signature formed from the numbers y 
and e with y= 140 bits and e=72 bits. A signature ab- 
breviated in this manner has the security level of 2 72 , i.e. 
approximately multiplications modulo p are required in 
order to counterfeit a signature. 

The following steps are performed by the subscriber 
B, i.e. in the terminal for verification of a signature 
composed of the numbers x and y. First, as shown in 
FIG. 3, 
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Iated with t additions and the new number x v can be 
calculated with t multiplication. Another rejuvenation 

is calculated and the equality test is then implemented ° f the ^ (fl " * w) is p0SsiWe aCCOrdinB to the ™ le 
such that the x value calculated according to the equa- 5 

fort = jatd , I „ (mod p-l) 



* , (mod p) 

2' "ir vy 2 f tf 2'-> w -ft/ ' 



(mod p) 



is compared to the x value of the signature. -r« , ... . . 

Given abbreviated signatures in which x is.replaced . V^ 1 ^ f™™^™ * v W hc IL re 

by e, the verification according to FIG. 5 occurs in such m / add,t !° ns ^ d x ^ifta. The new num *>er * v can be 

a fashion that calculated with 2t multiplications. Beginning with z== 1, 

15 the steps 



z.-=zXai,)(mod p), z. =r 2 (mod p), 



^ (mod p) 

j=j 1 '~ » 

. ^ are implemented for this purpose with the index i de- 

whether the number x supplies the correct e value. The product of the old va!ue with the most . recen tly calcu- 

latter occurs m that a check is earned out to see L tori u ^ „ : « ^ „ - . ^ 

whether the hash value hfr m) coincides with the value ,ated " Umber W aCC ° rdmg t0 ,he rule 

e " , , . x v '«*:=,x v <>l<l*mod p). 

Only relatively slight calculating tasks must be pro- 25 
duced in the chip card both in the identification proto- In the rejuvenation, the selection a (t)= M has the 

™t K?? C0L , ^ lth ,° U8h T **!? k - y result * at « a ™ter r^that was just rejuvenated is mul- 

% must still be multiplied by relatively small numbers in t i~\M k*, v,:„i™* ~. ti.- . . . 

calculating the number y, this mi/tiplication can be Up f d * y * e hlgheSt p0Wer °P U 71115 eads ° an "P* 
resolved fato simple additions and shift events, wh* arl 30 cia "y effectiv e^u venation of the supply. Itisadvanta- 
referred to shifts, whereby the product of « and tu ge0US ^P 1 ^ \ * '« | a signature that is formed 
merely has to be shifted i- 1 positions toward the left 85 a random combination of the pairs just stored. Inter- 
The random number r, finally, is then to be attached to mediate values that arise anyway given the rejuvenation 
this intermediate result by addition. of tv > Xv m well suited for this purpose. 

Although the calculation of the number 35 0f course, the se rejuvenation processes for the pair. 

(r v , x v ) can be combined and varied. The only matter of 
x-«2 r Mp) consequence is that the rejuvenation occurs as quickly 

as possible and cannot be duplicated from the signatures 
is also involved, it can be practically neglected in terms that have been performed. A small number t is thereby 
of time expenditure due to the aforementioned prelimi- m expediently employed; the rejuvenation cannot be dis- 
nary process when x values corresponding to a few covered when the supply of numerical pairs— i.e. the 
random numbers are calculated in advance and a plural* number E — is adequately large. It is advantageous to 
ity of pairs of numbers composed of r values and x co-employ the key pairs s/, v/in the rejuvenation; for 
values are stored as a supply. example, a cipher pair sy, vj) can be selected for a num- 

In order to prevent having the same number of pairs ber pair (r fl( i), x a( o). Given t =6 and k = 10, the rejuve- 
being used over and over again at regular intervals nation of a number pair requires only 6 or, respectively, 
given a limited plurality of pairs, a rejuvenation is car- n multiplications that can be implemented more or less 
ned out insofar as each pair, after use, is subsequently incidently, for example when no other arithmetic opera- 
combined with other, potentially all pairs of the supply, tions are t0 be executed in the terminal, 
in particular again in a random fashion The result Th e versatile possibilities of rejuvenating the number 
thereof is tha the supply is rejuvenated and varied over 50 pairs (fw xJ * differen tly US ed in each chip card, 
and over, little by little. For { fe Wi (1) & ? 

^ JIT^ 1 S ^ JUVenat V 0n ' l f U be combination of the cipher pairs of he supply can be 

sumed that a supply of k number pairs (iy, x/) is present *i r u- j- tf ^ * , - * 

for i«l ...Jl Inorderto renew the pair ( v , x v ) random faShl0ned m each Card d ^very of 

indices a(l),.. . . , a(t- 1) € {1 k}, for example, are 55 the re J uvenatlon P rocess 1S practically impossible in this 

selected, as is a pair (r M , x») that has just been rejuve- '"^fJ" c L( . 

nated and the new pair (r„ x.) is calculated with a(t) = u X " the Case of ^ fae ^viated signature, the random 
according to the rule numbers 17 must be small so that the y part of the signa- 

ture also remains small. This is achieved in a simple 
60 manner in that the base a for which a 140 bit long prime 
. 2 1 /■«,) (mod P "° number q is selected for the discrete logarithms, so that 

a? = I (mod p) is valid. The rejuvenation of the random 
(mod p) numbers r /V of course, is then calculated modulo q, i.e. 
the modulus p — 1 is replaced by the modulus q. 
= 65 Although I have described my invention by reference 

to particular illustrative embodiments thereof, many 
The relationship x=2 rv (mod p) again holds true for changes and modifications of the invention may become 
the new pair (ru, x v ). The new number r v can be calcu- apparent to those skilled in the art without departing 



1=1 
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from the spirit and scope of the invention. I therefore 
intend to include within the patent warranted hereon all 
such changes and modifications as may reasonably and 
properly be included within the scope of my contribu- 
tion to the art. 
I claim: 

1. In a method for mutual identification of subscribers 
in a data exchange system working with processor chip 
cards and using identification data coded into the cards 
by a card-issuing center including subscriber-related 
public keys and stored in the respective chip cards 
along with private keys which have a logical relation- 
ship to the public keys, whereby random number- 
dependent check data are exchanged between the sub- 
scribers, comprising the steps of: 
transmitting from a chip card the coded identification 
data together with a signature of the center to a 
subscriber entering into an information exchange 
with the chip card; 
at the subscriber checking the correctness of the 20 
coded identification data with reference to known 
information including a public list or reference to 
the signature of the center; 
forming in the chip card a x value proceeding from a 
random, discrete logarithm r€(l, . . . , p — 1), where 
p is a declared prime number modulus, and accord- 
ing to the rule 



25 



x:~2 r (modpy. 

transmitting the x value to the subscriber; 
transmitting from the subscriber a random bit se- 
quence 



...eu)*{0.i}*' 
to the chip card; 

multiplying the stored, private key sj representing a 
discrete logarithm with a binary number formed 
from the bits of the random bit sequence e transmit- 
ted from the subscriber to the chip card and adding 
the random number r allocated to the previously- 
transmitted x value to calculate, at the chip card, a 
number y according to the rule 



35 



40 



45 



k 



2'- 1 (mod p - !) 



transmitting the number y to the subscriber; 
at the subscriber, calculating a number x with refer- 50 
ence to the number y according to the rule 



12 



from the generated random number r; 
forming a random bit sequence as a function of the x 
value of a message m and of a declared hash func- 
tion h according to the rule 

e:=h{x.mK{Q,\} kf : 

calculating a y value from the random number r, from 
the private cipher sy stored in the chip card and 
from the random bit sequence e according to the 
rule 



y: « r + 



15 



{mod p- 1 > 



30 



transmitting the message m and the signature formed 
from the value x and y to the subscriber which is in 
information exchange with the chip card. 
3. A method for generating an abbreviated signature 
for a message to be transmitted in a data exchange sys- 
tem according to the method of claim 1, and further 
comprising steps defined as: 
at the chip card, generating a random number r lying 
in the range between 1 and the prime number mod- 
ulus (p— 1); 

at the chip card, calculating a x value from the ran- 
dom number r according to the rule 

at the chip card, calculating a random bit sequence e 
as a function of the x value and of the message 
according to the rule 



e;=/r(jr .m)e<0J)*'; 

at the chip card, calculating a y value from the ran- 
dom number r, from the secret key s/and from the 
random bit sequence e according to the rule 



(mod p-1) 



; = V it 



vj 2 



eu2' 



(mod /)); 



55 



checking the identity of the chip card user by com- 
paring the calculated number x and the x value 
previously communicated to the subscriber. 

2. A method for generating a signature according to 
the method of claim 1, wherein: 

the step of forming a x value is further defined as 
generating a random number r within the range of 
between 1 and the prime number modulus (p— 1) 
and calculating the x value according to the rule 

x:~2 r (mod p) 



60 



65 



transmitting from the chip card the message m and 
the signature formed from the values e and y to the 
subscriber which is information exchange with the 
chip card. 

4. The method of claim 3, and further comprising the 
steps of: 

generating a plurality of the random numbers r and a 
plurality of x values and storing the same in pairs in 
the chip card; 

employing one of the pairs of stored random numbers 
r and x values (r v , x„) in an identification procedure 
and varying the pair in such a manner that a ran- 
dom number r, after use thereof, is combined with 
a random selection of the remaining, stored ran- 
dom numbers; and 

calculating the appertaining x value with the rejuve- 
nated random number and storing the same with 
the rejuvenated random number r as a rejuvenated 
pair. 

5. The method of claim 4, and further defined as 
comprising: 

storing the plurality of random numbers r/, , . . r* and 
their appertaining Xi/=2 rv (mod p) in the chip card; 
and 
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Vj=a- s /mod p). 

7. The method of claim 6, and further defined as: 
selecting the secret key s/and the random numbers (r) 

such that the bit lengths of the numbers s ; - f r and y 
are shorter than the length of the prime number 
modulus p. 

8. The method of claim 6, and further defined as: 
selecting finite groups for the formation of the dis- 
crete logarithm instead of the finite groups that 
arise on the basis of residual class modulo p. 

9. The method of claim 8, and further defined as: 
selecting one from the groups consisting of the Z„*, 

the group of invertible residue classes modulo q 



14 



rejuvenating the pair (r, x) used in an identification 
procedure and/or a signature procedure by ran- 
dom selection (r fl (,)), x 0 (/)) of the pairs for i= 1, . . . . 
, t in accordance with 



(mod p-1) 



(mod p) 



10 



6. The method of claim 5, and further defined as: 
selecting the prime number modulus p such that the 
number (p— 1) is divisible by a prime number q and 
by such a selection of the base a of a discrete loga- 
rithm that 

a«= 1 (mod p), a+ 1 (mod p) 

holds true; and 
calculating discrete logarithms y, r, sy modulo q such 
that key components syand v y are in the relationship 



20 



25 



composite number r, a group of units of a finite 
field, and an elliptic curve over a finite field as a 
finite group. 

10. A method for the verification of a signature (x,y) 
generated according to the method of claim 2 at the 
subscriber receiving the signed message m f comprising 
the steps of: 

calculating a random bit sequence e from the message 
m and from the x value of the signature according 
to the rule 

c:=/iUffi)f{0,l}*'; 

calculating an x value according to the rule 



15 



(mod p) 



30 



35 



from the random bit sequence e, from the public 
cipher v and from the y value of the signature; and 
comparing the calculated x value with the x value of 

the signature. 
11. A method for verifying an abbreviated signature 
generated according to the method of claim 3 at the 
subscriber receiving the signed message m comprising 
the steps of: 

calculating a number x from the transmitted message 
m and from the signature (e, y) according to the 
rule 



x = iy ir vj X e t j2''- } (modp); 

checking the value e of the signature for coincidence 

with the value h (x , m). 

» * * * * 
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[57] ABSTRACT 

A public key cryptographic system is disclosed with 
^enhanced-digital^ 

cates^th^kientityiofcth^ A hierarchy 

of nested certifications and signatures are employed 
which indicate the authority and responsibility levels of 
the individual whose signature b being certified. The 
present invention enhances the capabilities of public key 
cryptography so that it may be employed in a wider 
variety of business transactions, even those where two 
parties may be virtually unknown to each other. Coun- 
ter-signature and jomt-signature requirements are refer- 
enced in each digital certification to permit business 
transactions to take place electronically, which hereto- 
fore often only would take place after at least one party 
physically winds his way through a c or po r ate bureau- 
cracy. The certifier in constructing a certificate gener- 
ates a special message that includes fields ^identifying 
the public key winch is being certified, and the name of 
the certifiee. In addition, the certificate constructed by 
the certifier includes the authority which is being 
granted including information which reflects issues of 
concern to the certifier such as, for example, the mone- 
tary limit for the certifiee and the level of trust which is 
granted to the certifiee. The certificate may also specify 
cosignature requirements which are being imposed 
upon the certifiee. 
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different Unauthorized recipients of the cipher text 

PUBLIC KEY/SIGNATURE CRYFIOSYSTEM who know the DES algorithm, but who do not have the 

WITH ENHANCED DIGITAL SIGNATURE secret key, cannot derive the original data algorithmi- 

CERHFICATION cally. 

5 Thus, the cryptographic s e c urit y of the data depends 

FIELD OF THE INVENTION on the security provided for the key used to encipher 

This invention relates to a cryptographic communi- and decipher the data. As in most conventional crypto- 

cations system and method. More particularly, the in- graphic systems the ultimate security of the DES sys- 

vention relates to a public key or signature cryptosys- tern critically depends on maintaining the secrecy of the 

tern having improved digital wgnatiirtfc cettifkiation for ^ cryptographic key. Keys rirfrnrd by the DES system 

mdiratmg the identity, authority and responsibility lev- include sixty-four binary digits of which fifty-six are 

ds associated with at least the sender of a digital mes- used directly by the DES algorithm as the significant 

digits of the key and eight bits are used for error detec- 



BACKGROUND AND SUMMARY OF THE 15 T u . , _ . 

INVENTION such conventional cryptographic systems, some 

m secure method must be utilized to distribute a secret key 

The rapid growth of e le ct r o u te mail systems, elec- to ^ mrptag* sender and receiver. Thus, one of the 

tromc funds transfer systems and the like has increased majc* dhtotees wrm exism^ 

cc*cernsc>vcrthcsg the need for the sender and receiver to exchange a 

inwecured c ^ ,n ^^ . chann ^ 9**^^ singk key m 

systems are widely used to nsure the privacy and an- does not hmc to the key. 

^^^messages cc^mumcated over such mse- ^ CKchailge of such a key is frequently done by 

^ a conventional cryptographic system, a method of scndin ? ^ to . a messa « e exchange, via, for 
encryption fa utiliz^^^ 

into a message which is unmteuigible. Thereafter, a providing the necessary security such key distribution 

method of decryption fa utilized far decoding the en- techniques are usually slow and expensive. If the need 

crypted message to restore the message to its original sa ^ ex and receiver is only to have one private 

Aw^hi message dechangf % such fln yi Wrhangft could be accom— 

Conventional crypotographic signature and authentic 30 pushed by private courier or registered maO, thereby 

cation systems typically wtift«» a "one way** K*tHm g rendering the cryptographic comrnmrication unneces- 

fuw itfi to transform the plain text " fog* into a form sary. Moreover, if the need to communicate privately is 

which fa unmteuigible. A "hashing** function as used urgent the time required to distribute the private key 

herembafuiictkmwhic&canb causes an unacceptable delay. 

tkm of data to create a smaller, more easily processed 35 Public key cryptographic systems solve many of the 

aggregation of data. key distribution problems associated with conven t i on a l 

An mmortant characteristic of tte hashing fhnrtion is cryptographic systems. In public key cr y p to graphic 

that it be a ••one-way" function. A hash fa a "one-way** systems the encrypting and decrypting processes are 

function, if it fa far mere difficult to compute the inverse decoupled in such a m anner that the encrypting process 

of the hashing function than it fa to compute the fane- 40 tpy is separate and distinct from the decrypting process 

tkm. For all practical purposes, the value obtained from key. Thus, for each encryption key there is a corre- 

apprying the hashing fu nction to the original aggrega- spending decryption key winch fa not the same as the 

hen of data fa an unforge&ble unique fingerprint of the encryption key. Even with knowledge of the encryp- 

original data. If the original data is changed in any tion key, it fa not feasible to ^mpite the decryption 

manner, the hash of such nullified data win Hkfcwise be 45 k« 

w± ^ f = uU With a public key system, it fa possible to connnuni- 

m conventional ciyptographK: systems, bmary coded catermvately without tramrmtrhiR any 

i, 1S!!f^t^2^ Pob&W system does require that an encrypUon/de- 
called crpner and decrypted bade mto its ongmal form 



utffizmg^ an algorithm which sequences through end- 50 ^ ^ distramtcd OT pabfahed and anyone 

poer and dftcipliffr - t*o*^^ utilizing a binary code « . + 

called akey.I^canniipkLthehhlwiialBnreaaofStan. desmng to commumcate amply encrypts his or her 

ferred as the ZJWn Encryption Standard (DES). Data Only the destmaton »«r. who retara to secret de- 

£»c7j^SWaniFIPS PUB 46, National Barcan of 53 cryptog key, 8 able to decipher -the UausiwUed mes- 

&andards, Jan. 5, 1977 sage. Revealing the encryption key discloses nothmg 

in rorg KtiHir y rr**~t A.t» w /^ypt^gmphTrfllly prfr- useful about the decrypting key, Lc, only persons hav- 

tected using the DES al gorithm m conjunction with a ^8 knowledge of the decrypting can decrypt the mes- 

key. Each member of a group of authorized users of The RSA cryptographic system which is dis- 

encrypted computer data must have the key that was 60 closed in U.S. Fat Na 4,405,829 issued to Rivest et aL 

used to encipher the data in order to use it This key discloses an exemplary methodology for a practical 

held by each m^m^r in cc^nmon fa used to decipher the implementation of a public key cryptographic system, 

data received in cipher form from other members of the A major problem in public key and other crypto- 

group. graphic systems fa the need to confirm that the sender of 

The key chosen for use in a particular application 65 a received message is actually the person named in the 

makes the results of encrypting data using the DES message. An authenticating technique known utilizing 

algorithm unique. Selection of a different key causes the "digital signatures" allows a user to employ his secret 

cipher that fa produced for a given set of inputs to be key to "sign a message" winch the receiving party or a 



cryption key pair be generated. The-encryption keys for 
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third party can validate using the originator's public The present invention addresses such problems with 

key. Sec sfbr example U.SL Pat N .4,406,829. the public key or signature cryptographic system relat- 

A user who has filed a public key in a publicly acces- ing to anthpn treating the identity of the public key 

sible rue can digitally sign a message by decrypting the holder by expanding the capability of digital signature 

message era hash ofit with the user's private key before 5 certification. In this regard, a certification methodology 

t ransmittin g the message. Recipients of the m essage can b ntiH7rd which employs multiple level certification 

verify the message or signature by encrypting it with whOe at the same time imticatmg the authority and 

the sender's public encryption key. Thus, the digital responsibility levels of the individual whose signature is 

signature process is essentially the reverse of the typical being certified as is explained in detail below, 

cryptographic process in that the m^gpgc is first des 10 The present invention enhances the capabilities of 

crypted and then encrypted. Anyone who has the user's public key cryptography so mat it may be employed in 

public encryption key can read the *"rwpgf or signa- * wider variety of business transactions, even those 

ture, but only the sender having the secret de crypti on where two parties may be virtually unknown to each 

could have created the message or signature. other. 

Serious problems still persist in public key cryptosys- 15 The digital signature certification method and appa- 

tems of assuring that a specified pubhc key is that acta- ratus of the present invention provides for a hierarchy 

ally created by the specified mmviduaL One known of certifications and signatures. It also allows for co-sig- 

technique for addressing this problem is to rely on some nature requirements. In this regard, counter-signature 

trusted authority, eg., a governmental agency, to insure and jomt-sjgnature requirements are referenced in each 

that each public key is associated with the person who 20 certification to permit business transactions to 

claiming to be the true author. takc Dlacc etetraricafly, which heretofore often only 

The trusted authority creates a digital message which would ,ake aftcr ** ]e3St a** V^ty physically 

contains the claimant's public key and the name of the wmds ^ way through a corporate bureaucracy, 

claimant (which is accurate to the authority's satisfec- . ^^prc^mvention, a digital signar^ 

tkm) and a representative of the authority signs the 25 ^^LT^^^S? ^ ^j* 5 ^ 

digital message with the amhorit/s own digital signa- g^** * (tbC Cerdfiee) ' 

ture. Tins digital message, ofu» known as a certificate, certlficr mOTnstructmg a > cerb£cate generates a special 

is sent ak>ngwim the iiser of the claimant "^f^ m ^ f ^ 1 ^ entlf ^ r ^ 

signature^ rec^rf w "^^^^^^^^^^^^ 

tnuttte «or»9tTi^«rrwWp^ tw t*u> ^^ZTtL^_ 30 addition, the certificate constructed by the certifier 

p^ChL^L^^^T iw. tifier such as, for example, the monetary hnrit for the 

J^^Z^JZ^^ 35 *»* « winch is granted to, the 

cate toned to provide any tmftremon of the degree of tk* ~*t»~+». 

tnistortheleveiofres l >«K^^ <*ftifiee. Tne "P**** 0 ** 0 coy nature 

" ;v/ y wiui wiiku uc scuuer requirements as being imnrerd upon the certifiee 

of the message skwld be empowered Th^ rm^m JZ^^^^r^f^ n 

fication merely mdic^^ ^^^^^^H^J^^Z 
^-^thesend^ 

^^^^J^^^y^^^P^^^ transferred or authoizedtoD^ 

m ~^^ Va ^^ C ^^ nn< ^ IOnS . ea ^ r !° . accCTn P h ^ h » tins end, die certificated the present mventicm is con- 

However, as the number of parto who desire to use the 45 strocted to reflect Cm addition to die pubhc key and the 

pubhc toy system expands, the number of published taaoc the certifiee and other fields) the number of 

^ f ^!^:?f WtoaSiZCWhcre ?f fasumgaiithor- joint signatures required and an indication as to the 

^^^^^^^^S^ 1 ^^^ io^iitityofqmlifyh^ 

P ^"^^^^^^ 1 ^^ m ^ tbc cTeachofthc other public key to 

people who t^are clamnng to be. Thus, a party may » to »gn jointly inay be mchxled in the c^icat In this 

ff?^ * J^i^ 10 te™mtonri in the public feshion, the recipient is informed that any material 

directory under the name of the chairman of a major winch is signed by the authority of the sender's certifi- 

c»rpcration,e^ for example cate, inustabo be signed by a number cto 

ration. Such an indivklttal may then be in a position to signators. The recipient is therefore able to verify other 

recerve private messages directed to the chairman of 55 joint and counter signatures by simply ccmiparmg the 

General Motors or to create signatures which ostensi- pubhc keys present in each signature m the certificate, 

ttybde^totteta The present invention also mcrudes other ways of indi- 

There are also technologies for producing digital eating co-signature requirements such as by indicating 

signatures winch may not require full public key capa- other certificates. Such indications of other pubhc key 

biltty, mcJndmg, for example, the Fiat-Shamir algo- 60 holders may be expiicft(wtti a h^ 

nthm. Any digital signature methodology may be em- implicitly, by specifying some other attribute or affilia- 

pl °yed to implement the digital signatures referenced tkm. This attrihnt* nr affiliation may «ho be indicated in 

herein. Any reference to pubhc key cryptosystems each co-signer' certificate. 

should also be construed to reflect signature systems. Additionally, the present invention provides for the 

Any reference to public key decryption should be taken 63 certification of digital signatures such mat a trust level 

as a generalized reference to signature creation and any is granted to the recipient for doing subcertirkations. In 

reference to encryption should be taken as a reference this manner, a trust level of responsibility flows from a 

to signature verification. central trusted source. 
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In an exemplary -embodiment ,of the. present inven- (not shown) which when coupled to a- conventionale 
tion, a certifier is permitted to assign with one predeter- modem d, 8, 10, respectively, permits the terminals to 
mined digital code a trust level which indicates that the transmit and receive messages, 
certifier warrants that the user named in the certificate Each terminal is capable of generating a plain text or 
is known to the c et tifi er and is certified to use the asso- 5 unenciphered message, transforming the message to an 
ciated public key. However, by virtue of this digital encoded, Lc, enciphered form, and' transmitting the 
code, the user is not authorized to make any farther message to any of the other terminals connected to 
identifications or certifications on the certifier's behalf. communications channel 12 (or to a communications 
Alternatively, the certifier may issue a certificate hav- network (not shown) which may be connected to com- 
ing other digital codes including a code which indicates 10 mnnicatiom channel 12). Additionally, each of the ter- 
that die user of the public key is trusted to accurately mmab A3 through N b capable of decrypting a re- 
identify other persons on the certifier's behalf and b ceived enciphered message to thereby generate a mes- 
fbrther Uusted to delegate this antfawity as die user sees 'sage in plain text form. 

fit Each of the terminal users (as discussed above with 
The present invention further provides for a user's IS respect to public key systems) has a public encrypting 
public key to be certified in multiple ways (e.g>, certifi- key and an associated private secret decrypting key. In 
cates by different certifiers). The present invention con- the public key cryptosystem shown in FIG. 1, each 
templfftf^ fW^V' ft***^ die apl irop rtate mer ti tp* as part temnnal user b aware of the general method by which 
of a user's signed message; Such certificates include a the other terminal users encrypt a message. Addition- 
certificate for the signer's certifier and for the certifiers* 20 airy, each terminal user b aware of die encryption key 
certifier, eta, up to a predetermined certificate which b utilized by the termmaFs encryption procedure to gen- 
trusted by all parties involved. When thb b done, each erate die enciphered message. 

signed message unequrvocalry contains the ladder or Each terminal user, however, by revealing his en- 
hierarchy of certificates and the signatures mrtiratmg cryption procedure and encryption key does not reveal 
the sender's authority. A recipient of such a signed 25 hb private decryption key which b necessary to de- 
message can verify that authority such that business crypt the ciphered message and to create signatures. In 
transactions can be immediately made based upon an thb regard, it b simply not feasible to compute the 
analysb of the signed message together with the full decryption key from knowledge of the encryption key. 
hierarchy of certificates. Each terminal user, with knowledge of another termi- 

miOT nporonmnw np thp nn Awror,Q 30 *aT» encryption key, can encrypt a private message for 
BRIEF DESCRIPTION OF THE DRAWINGS ^ tenmBal ^ Qnry the terminal end user with hb 

These as well as other features of thb invention will secret decrypting key can decrypt the transmitted mes- 

be better appreciated by trading the following descnp- s age . 

tion of the preferred embodiment of the present inven- Besides die capability of transmitting a private mes- 

tion taken in conjunction whn the accompanying draw- 35 sage, each terminal user likewise has the capability of 

mgft of winch digitally fli fi n* ng a t tn nsxn it tp <i ror wm ^ f .A message may 

FIG. 1 b a exemplary block diagram of a crypto- be digitally signed by a tennis 

graphic cotninniiicatioitft system in accordance with an sage with hb private decrypting key before transmitting 

exemplary embodiment of die present invention; die message. Upon receiving the message, the recipient 

FIG. 2 b a flow diagram that indicates how a digital 40 can read die message by using the sender's public en- 
signature b created in accordance with an exemplary cryption key. In thb fashion, the recipient can verify 
embodiment of the present invention; that only the holder of the secret decryption key could 

FIG. 3 b a flow diagram that mdicates how a digital have created die message. Thus, the r ec ipi e nt of the 

signature created in accordance with FIG. 2 b verified; signed message has proof that the message originated 

FIG. 4 b a flow diagram that i ndic a tes how a conn- 45 from the sender. Further detafls of a digital signature 

tersignature b created for a digital signature; methodology which may be used in conjunction with 

FIG. 5 b a flow diagram that mdiratm how a digital ' the present invention b disclosed in U.S. Fat. No- 
certificate in created in accordance with an exemplary 4,405,829. 

^wih ^ ^inn^n t of the present invention; Before d c uc rib ** ^ die detafls of die ^**byiy ed digital 

FIG. 6 b a flow diagram that indicates how a joint 30 certification in accordance with the present invention, 

signature b added to a mtjnrate; and the general operation of FIG. 1 in an electronic mail, 

FIG. 7 b a flow diagram that indicates how the signa- public key cryptographic context will initially be de- 

tares and ce r t ific at e s arc verified by a recipient of the scribed. Initially, presume that the user of terminal A b 



a relatively low level s uper v isor of a General Motors 
nTTTATT TTrfc Tw<u-»TirrTow HP tot 55 com P utcr automated to^ga team who wishes to pur- 

m P^^^J^^^}^2^J^r^ chase a software package from a computer software 
PRESENTLY PREFERRED EMBODIMENT dbtributor located fa^tTerent stahT^coniputer 
FIG* 1 shows in block diagram form an exemplary software distributor has terminal N and an associated 
cormnunkations system which may be used in conjuno modem 10 located at hb store, 
tion with the present invention. Thb system includes an 60 The General Motors supervisor at terminal A con- 
unsecured conmmmcatkm channel 12 over which com- structs an electronic purchase order which identifies the 
mimications between tenmnab A3 . . . N may take item(s) being ordered and the address to which the 
place. Communication channel 12 may, for example, be items must be sent as wefl as other items which are 
a telephone hne. Terminals A3 through N may, by way necessary in a standard purchase order. It should be 
of example only, be IBM PCs having a processor (with 65 recognized that, although thb example relates to an 
main memory) 2 which b coupled to a conventional electronic purchase order, any aggregation of data 
keyboard/CRT 4> Each terminal A3 through N also which can be represented in a manner suitable f r pro- 
mdudes a conventional IBM PC cormnmiications board cessing with whatever public-key method b being used 
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*-for signatures may likewise be transmitted.- In- the inore ~ ,r purchase order which 'pgrmitg' th>Siltimpfp "r^pi^rit "tfi J 

detailed description which follows such an aggregation fed confident that the requested transaction is anthentic 
of data, e.g^ a computer data file, will gettericaHy be and properly authorized. 

referred to as an "object". Focussing more genericaDy on major transactions 

The terminal A user, the General Motors supervisor, 5 wnaimtmg from for p^nnplr. General Motors Corpora- 
digitally signs the purchase order under the anthority of tion, it is helpful to focus first on the ultimate certifier(s) 
a certificate which is appended to the transmitted mes~ mentioned above, Le^ the meta-certifiers. In this regard, 
sage which will be discussed further below. Turning General Motors and parties who plan to do business 
first to the supervisor's digital signature, a message can with General Motors or otherwise participate in the 
be "signed" by applying to at least a portion of the 10 public key cryptosystem may initially choose to ap- 
object being signed, the privately held signature key. By proach a universally recognized trusted authority eg., 
signing an image of the object (or a more compact ver- hypotheticafly the Bureau of Standards and/or one of 
ston thereof known as a digest or hash of the object to the c omit y's largest banks. Corporate and other partic- 
be explained in more detail below) with the secret key, ipants in this system register a set of public keys (which 
it is possible for anyone with access to the public key to 15 they are authorized to use by virtue of an action of their 
encrypt this result and compare it with the object (or a corporate board of directors) with the ineta-certifier. 
recomputed hash or digit version thereof). Because only These are "high leveT keys to be used within the Gen- 
the owner of the public key could have used the secret era! Motors environment primarily for certifying Gen- 
key to perform this oper a tion, the owner of the public eral Motors* internal personnel. The nieta-certifier in 
key is thereby confirmed to have signed the message. 20 return distributes to General Motors its certification 
In accordance with the present invention, a digital that each of these supplied public keys created by Gen- 
signature is additionally accompanied by at least one eral Motors is authorized for their own use. In effect, 
valid certificate which specifies the identity of the the meta-certifier is certifying that the party using each 
signer and the authorization which the signer has been key is actually associated with General Motors. The 
granted. The certificate may be viewed as a special 25 meta-certnier's certification may include wwM^H text 
object or message which specifies the identity of die which indicates mat the users of registered public keys 
user of a particular public key and the authority which are properly ««refrted with General Motors. For ex- 
has been granted to that user by a party having a higher ample, General Motors may decide to have three "high 
level of authority than the user. levd" keys certified, e.g«, corporate officers, such as the 

To be valid a certificate must be signed by the private 30 vice president, frmmr»«>i officer, and the security officer. 
key(s) associated with one or more other valid certifi- At General Motors' request each of the three certifi- 
cates which are hereafter referred to as antecedents to cates tr uncate the public keys of the other two as re- 
that certificate. Each of these antecedent certificates quired joint signatures. 

mnst grant the signer the authority to create such a Thus, once having obtained the highest level cer- 
signature and/or to issue die purchase order in our 35 tificate(s) from the meta-certifier, several officials 
Hnrniplf Eachoftheantrr*t1nitcqU^ within General Motors may have to jointly sign certifi- 

have its own antecedents). cxtes at the next lower level and such joint signatures. 

An exemplary embodiment of the present invention Each of these high level General Motors' certificates 
c o i Ttnnnlatn utilizing an ultimate anteceden t certificate wcmM mntirafly wfi^yq ry mrh other as required co- 
of all certificates, which is a universally known and 40 signers At tins level no single corporate officer acting 
trusted authority, eg., hypothetically the National Bu- alone may authorize anything because embedded within 
reau of Standards, and which is referred to as a meta- each of the three certificates is a requirement for the 
certificate. The meta certificate is the only item that signature of others who are srjecifically identified In 
needs to be universally trusted and known. There may turn then, these 3 officers create and sign pubhc keys for 
be several meta-certifiers, and it is possible that meta- 45 the other General Motors* employees, that define ex- 
certificates may even reference each other for required actry the level of authority, resrxmsftility and Hmtta- 
co^ognatures. tionseachempb>yeeistohave.Cmeofth^ 

Turning back to our eramplrv when the message is may belong to user A, or will be an antecedent to user's 
ultimately transmitted from ' m ""Mftl A to the computer A's certificate. 

software distributor at terminal N, the recipient in a 50 Each of these three high level certificates may digi- 
manner which will be described m detail below, verifies tally sign terminal B user's certificate preferably after a 
the signature of the General Motors supervisor. AcVh- fece to face or telephone verification. After each of the 
tiomuly, he verifies that all the other signatur e s on the required B ^mhiM t has been created, the certificate's 
m e s sa ge cr Ttif ic n i r and the a nte c edent certificates are signatures by the vice president, fiwmHal officer and 
present which provides further assurance to the termi- 55 security officer as wefl as their respective 3 certificates, 
nal N software distrfontortl^ as weD as those certificates* respective signatures by the 

and completely authorized. As should be recognized, rneta-certifier are ultimately returned to the General 
such assurances are critically important prior to ship- Motors* supervisor at terminal B to be stored for ongo- 
ping purchased items and are perhaps even more impor- ing use, such as in our example for subcertifying termi- 
tant in an electronic funds transfer context 60 nal user A. In tins manner, the signed message unequiv- 

Any party who receives a message transmitted by the ocally contains the ladder or hierarchy of certificates 
user of terminal A (whether such a party is the ultimate and signatures verifying terminal A user's identify and 
if*. 4> im t of the message at terminal N or other parties ms authority. 

within for example a corporate hierarchy such as Gen- When a party Bin aladder of certifications creates an 
eral Motors) can verify and validate A's signature and 65 authorizing ^rffifrate for party A, the certificate in- 
the authority that the terminal A user exercised. Such chides a specification of A's identity together with A's 
validation «s possible since a complete hierarchy of public encryption key. Additionally, the certificate indi- 
validating certificates is transmitted with the original cates the authority , capabilities and limitations which B 
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• wishes to grant A. By, grantmg.this certificate B explic- ^ultimately represented in a manner. suitable foe process-.., 
itty assumes responsibility for both A*s identity and ing with whatever public key method is being utilized 
authority. for signatures and/or encryption. The term object may 
B*s certificate for A also permits a specification of apply to a "primary" object such as a purchase order or 
other parties who are required to cosign actions taken 5 check, or money U ans fei ; or to a "secondary" object 
by A when using this certificate as will be explained such as a certificate, or another signature, 
farther below. Cosignatures may take the form of either The methodology of the present invention in order to 
joint signatures or cotmtersignatures. Additionally increase processing efficiency generalry apph^ a fane- 
party B can define in the certificate for A the degree to tkxn to the object to create a generally smaller, more 
which B will recognize stibcertificarions p er form ed by 10 compact, more easily processed object, Le., typically a 
A. fixed size bit string of several dozen or more bits. Such 
In accordance with an exemplary ernbc<timent of the a function fa r e fe r r e d to as a hash or digest of the object 
present invention, trust levels which are granted by the An mnmplr of such a hash or digest would be the 
certifier to the certifiee are sped output obtained by processing an image of the object 
a predetermined digital code. Such a trust level is used 15 with the data encryption standard (DES) using cipher 
by the r w ija ^tit of die message as an indicator of the block chaining mode (CBC). Processing may be done 
authority granted to the certifiee and the responsibility with two different PES keys (both of which are fixed, 
•**nm+<t by the certifier for the certifiers actions with non-secret and commonly known). Thereafter, each of 
respect to the use of the public key being certified. the final output chaining values are concatenated or 
By way of example only trust levels may be rndicated 20 merged in some way to become the several dozen or 
by trust level values 0» 1, 2, and 3. more bits constituting the digest or hash value. 

Trust level 0 indicate* that the certifier vouches that An important characteristic of the digest or hashing 
the certified public key belongs to the individual named algorithm is that, while it is easy to compute the digest 
in die certificate; but that the certifier will not assume of an object it is essentially irnpossible to construct a 
responsibility for die accuracy of any certificates pro- 25 different or modified object with an equal digest. For all 
duced by the certifiee. The essence of this would be a practical purposes the digest is an ixnfbrgeable unique 
statement by the certifier that: T warrant the user rmgerprint of the original object If the original object is 
mwiw>H in tjri«t certificate is known to me and is being changed in any manner, the digest will be diffe rent. In 
certified to use the associated public key--however I do other words, for all practical purposes, the more com- 
not trust him to make any further identifications on my 30 pact representation of the original object is unique to 
behalf. the original object. Ideally, also a hash should not re- 
Trust level 1 empowers the certifiee to make level 0 veal any clue about specific data values 



certifications on behalf of the certifier. The essence of within the message. The hash's contemplated in the 
this would be a statement by the leitifin that: **I know criwnplary embodiment have at least 128 bits, 
the user of this public key and I trust him/her to accn- 35 Tarning now to FIG. 2, this figure shows the data 
ratery identify other persons on my behalf- I will take flow and the manner in which signatures are cre ated, 
r e s ponsibility for such irlnititV a fi Dn s. However, I do The signature process applies not only to general ob> 
not trust tins perso n to identify persons as trustworthy.** jects such as arbitrary computer files, letters, electronic 

purchase orders, etc . , but also to specialized objects 
Trust level 2 enroowers the certifiee to make level 0, 40 such as signatures and certificates. 
1 and 2 certifications on behalf of the certifier. The Each digital signature is acco mpanie d, as is generally 
essence of this would be a statement by the certifier shown in FIG. 2, by a certification of the public key 
* that: T know the user of tins pubhc key and I trust pe rformin g the signature. The certificate, as will be 
him/her to accurately identify other persons on my di s cu sse d in detail in conjunction with FIG. S> is signed 
behalf, and I furthermore trust them to delegate tins 45 by one or more higher authorities (Le^ the immediate 
auth or ity as they see fit I assume due responsibility far certifiers) and irieirtifies the original signer while speci- 
any rrrtifiralkms done by them or any duly miihoii/ed fymg die degree of authority which has been granted to 
agent created by them or by other generation of duly the original signer. 

created agents'*. In accordance with the present invention, the original 

Trust level 3 is reserved exclusively for an ultimate 50 signer may have more than one' certificate and may 
meta certifier whose pubhc key and certificate is estab- utilize different certificates for different levels of an- 
hshed and also weQ known (possibly by repetitive and thorny. Each of the certificates may carry different 
widespread media publication) and whose accuracy is l i m it a t ions and r e quir e m ents rncrnrimg different money 
universally respected. Tms certifier takes responsibility limitatkmy trust levels, joint signature r e quir eme nts and 
only for accuiatety identifying the entities whose public 55 counter signature require ments. 
keys it certifies. U assumes no responsibility for the use It fa incumbent on the signer to select the appropria te 
of thi**^ keys. m ^MUn w^/ tM t litr aAm with which to sign a particular 

Additionally, each certification may specify the mon- object For example, purchase orders may require a 
etary limit, Le, the maximum amount of money value diffe re nt type of authority (and therefore a different 
which the certifiee is authorized to deal with. The mon- 60 certificate) than merely a letter of inquiry. Thus, the 
etary limit must not of course exceed the fimit in the cer tificate is a very i m portant portion of the transmitted 
certifier's own certificate to insure that the certifier message in that it identifies the signer as well as the 
does not delegate more than he is allowed to handle. signer's level of authority. 

Before discussing further details of the digital signa- As shown in FIG. 2, in creating the signature the user 
tore and certification techniques of the present inven- 65 utilizes the object 20 (which may, for example, be a 
tion, it may be helpful to first define certain terminol- purchase order) and specifies the type of object 22. The 
ogy. As noted above, the term "object" is genetically documentation added under the type of object field, for 
used to describe any aggregation of data that can be example, indicates that the object is a purchase order 
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. jd^^^,fa v ^jffvjmftmcirs the; Jtype, of ^object, field 22 v . recipient deter min es that the digital signal is consistent^ ^v^. 

would identify that the object is another signature or a with the public key that was named, 

certificate. As indicated at 24, the date of the signature In this manner, the object and its signature are pro- 

is also identified cessed to insure that the object is identical to the data 

The c omment field 26 is utilized to add documents- 5 which existed as it was signed by the owner of the 

tion which, for example, places lhnitations on the signa- public key. This is the first step of an overall validation 

tore or adds other commentary. The signer may indi- process. 

cate that his signature or the object is only good and Other steps in the validation process insure that the 

valid for a predetermined period of time. Additionally, public key belongs to the person named in the associ- 

any desired comments r ^mMi ng the particular transac- 10 ated certificate and that the person has the authority 

tion, e.g^ the purchase order, may be added as comment stipulated in the certificate. This verification process 

data. appfies generally to any object even if that object is 

Also incorporated in the signature is die original another signature or a certificate. To complete the van- 
signer's certificate 28 winch includes the original sign- dafion process, the recipient analyzes the certificates 
er*s public key 30 and numerous other fields which are ^ associated with the signature to determine that the 
discussed mdetaflbekwmcraji^ proper authority has been conveyed to each certificate 
noted above, public key signature methods require the throngft its sjgnata res and the antecedent certificate<s) 
use of a public key 30 and an associated private key of th« authorizing signatures, 
which is shown in FIG. 2 at 32. An obj ect may be accompanied by more than one 

The object field 20 (&g>, purchase order data), the 20 s |« natnrc r cosignatures fall into the category of 

type of object field 22, the « gntn g date M 4 24> the other a joint signature or a counter signature. A joint 

comment field 26, and the signer's certificate field 28 are signatnre is simply another signature of an object by a 

hashed via a hashing algorithm at 34 to enhance pro- different party. The signature process is no different 

cessing efficiency. Additionally, each of the fields 20, _ *** ^ to cn^jmMl^pmmdacBbtd 

22, 24> 26 and 28 are incorporated in the signature 25 m f^J™ 00011 ^ ™ G ; * . ^ . 

packet 42 to become pan of the signature record. A ^""^^J^^llf^^ of a S1 « natur f r 

liashiiig algorithm 44 is also ap^ TTius^vh^ A signs *m<*jec£ to signature may itself 

place it in a more compact tensor to incorporation " *™ C ff™?"^ 

m the packet 4i A s signature, the object C is signing is A's signature 

AfteapScation 

fieJfeprevkmst^ ^l^L^f^li^ a ^ ie ^ 

th<wf *l ^ ^JLltZnTox ^ .7 r »; r . ' 7»..TT Y^T? comrtenngnfd and reflects approval (or at least recogm- 

therefrom as mntratrn at 36. The presignature hash 36 s *k_ M „n M *t 

then run through a decrypt (sifr^cle as indi- u^J^^f^ as the feet 

^.»»JZ*fc.^J2/ v T7l £v "_Z?T^ that A has signed that object. Tms mechanism allows a 

S Z ^1 35 cbainofauKy wtefcach higher level approves 

T^^^^^^^^^^T^ »y commitment made at a IowSfcveL oJ of the 

unique aspects of this system is that the certificate A 



40 together with items 20 (or the hash of 20X 22, 24* 26 



and 28 become die final ajmatare packet 4Z 37^.7*^ * ■ 7 . r ~ , 

umw» anjuauiic P*^ 1 ~ associates with tins signatnre may m feet require that 

When thk <ncmatxtrr » transmitted with the associated *u ~r A , ~„T * . j. , 

. ; . u IT VT "^^rr 8 . the use of A's signature be accompanied by particular 

object, it allows ttereapie^^ *™ 

mtect as it was a^Fmhermore, when sufficient Turning next to the creation of a counter signature 

c^tn^ are also included, the reaper can validate winch is shown in FIG. 4, initially A signs at 63apri- 

£! ^^L^ ^ mary object 60 m accordance^ 

has-been granted mtesi^sc^rf lined m detail m con junction wn^ 

Turmng now toFIG. 3, tins figin^ shows how a 45 object 60 may be a purchase or so^ 

reop^nt cf the Uaia^itkd message, mdndmg thesg- imlineiit or rt may be a couii^ 

nature packet 42 constructed m accordance with FIG. signatureof a primary object 

^"gj"* 0 ** As shown m FIG. 3, the recipe As explained above in regard to FIG. 2, the process 

SJ?^^ 1 ^^ Pa °^ ^ ^ associated of A signing an object may also involve some other 
fieMsJ Z2,24> 26 and 28 as well as the object 20 and » party signing A's signature. Thus, A's certificate 62 

f ^^. h ^^ algorithm 34 as applied to spcdficaDy defines at 65 that, m for A's sigiiature 

tto ^™* bm mG - * to thereby rest* m a presig- to be valid (Le, ratified), a counter signature by C is 

"J?* nasp50 * ; required, for example, using CTs specific certificate Y. 

The recipient ten utilizes the public encrypting key After A signs the object, A's signature packet 66 is 
transmitted wim the agner'sce^ 55 then forwarded along with the primary object and all 

an encrypt (venfication) operation 52 on the signature associated signatures and certificates to C and A rc- 

to be ver^ 40 (which was transmitted wh^ quests that C add his counter signature 64. Upon receiv. 

t0rC 1° thereby generate a presignatnre hash 54. ing the material, C reviews all existing signature certu> 

The recipient, by recomputing the presignature hash in cates and the primary object and if everything meets 
the same way as the signer, then compares this value 60 with his approval he would decide to sign A's signature 

with the encryption (verification) of the signer's signa- 6ft. A's signature inherently reflects the primary object 

tD ™' . and Cs signature inherently reflects A's signature so C 

As indicated at block 56, if these two values at 50 and wiD essentially have "signed on the line below A's sig- 

54 are not equal, the recipient cannot accept the re- nature". 

ceived signatnre a* being valid. Whether intentional or 63 Once C decides to approve A's signature at 68, the 

otherwise, the object and/or the signature must have process of creating a signature as shown in detail in 

been changed or tampered with in some way since they FIG. 2, is duplicated except that the object is A's signa- 

were signed. By virtue of this verification step, the ture. Thus, with A's signature as the object (and the 



4,868,877 

13 14 

type of object being » .cig™>tTm* at .72), th+... >of anew certificate 112. As in FIG^^'the signature is^ 

counter signature date 74y C*s counter signature com- created using an object (A's certificate 116) and a certif- 

ment 76, and C*a certificate 70 are applied to a hashing icate (B's certificate 108). B's secret private key is uti- 

algorithm 80 to thereby result in a presignature hash 82. hzed in the decrypt operation to create the signature 

At the same time, these fields are also inserted into die 3 112 of the new certificate 116 and the signature packet 

counter signature packet 88 as di scussed above with 114 of B's signature becomes part of A's new certificate 

respect to the signature packet 42 (with a hashing algo- packet 

rithm 69 being applied to the signature object). Focussing on the certificate for A which is con- 

Pr»»«igimtnTtt hash ft2 xml C?n secret key 92 are applied structed using information about A specified by B, B 

in a signature operation 84 to generate a counter sign*- 10 builds the certificate by utuizmg the public aspect of A's 

ture 86. This counter signature becomes part of the public key as provided by A via hue 103. B also sets 



counter signature packet 88 in precisely the same fash- forth A's full name, A's title and other important starts- 
km as described previously in regard to the creation of tics such as his address, and telephone number. B may 
signature packet 42 in FIG. X also include a comment to go with the certification 

Because the cca liliuale **Y" winch C must use to 15 which will be available to any person in the future who 
perform die signature has been explicitly stated (in the needs to examine A's certificate 
certificate which A used to sign), C may also be re- B additionally will indicate an expiration date of the 
quired to meet his own cosignature obligations so speo- certificate. This date may reflect the date after which A 
fied by T* and forward tins entire package mrtndmg should not use the certificate. Alternatively, the date 
his own newly added signature on to other parties for 20 may call for any certificate created by A to also expire 
further cosignatures (either joint or counter signatures). on this date. B may also indicate in the certificate an 
This recursive signature gathering process continues account number for A which may represent an internal 
until sufficient n ^ttkuu rm. are added to fully satisfy all ' identification code within B's organization, 
cosignature requirements of at least one party who Additionally, B may place a monetary limit in the 
initially signed the primary object 25 certificate. This monetary authority or credit limit is 

Turning next to how one party creates an authorizing checked against the limit in B's own certificate to insure 
i-^irNnti» for another, it is noted that B creates an an- that B does not delegate more than he is empowered to 
thorizing cer tifica te for A by combining a specification delegate. Tins same relationship is also verified by ro- 
of A's identity together with the public encrypting key ture recipients as part of their validation process, 
winch A generated for himself. Additionally B specifies 30 As discussed above, B also defines the degree of re- 
the authority capabilities and lii»it«tMw> which B sporeability to which B is willing is assume for subcer- 
wishes to grant A. By 8*gnmg die cc^ tifications done by A. This field must be compatible 

assumes icspomftnfity for A's identity and authority. with the trust level wmch is allowed B's own certifi- 

The present invention permits B to specify other cate. The r rto tk>twrrip be tw ee n the trust level granted to 
signators who are required to cosign actions taken by A 35 B and that granted by B is another of the relationships 
when using die certification. As noted above, B can validated whenever future recipients validate the mer- 
further define m die certificate for A the degree to arcfay of certificates which are presented to them, 
which B will recognize subcertifications performed by Finally B inserts cosignature requirements into A's 
A. certificate which specify how many and what type of 

Additionally, many other limitations and restrictions 40 cosignatures are required to accompany A's signature 
_ may be imposed by B. For example, B may impose a when A uses this new certificate. As indicat ed above, 
. money limit which will insure that any recipient of A's cosignatures may be in the form of joint signatures 
certificate wul be aware of the limit B is willing to and/or counter signatures. The counter signature insti- 
authorize. Since the process of creating a certificate, as cates an approval of the use of the certificate and the 
will be shown below involves signatures, the use of 45 approval necessarily follows, the associated signature. 
roMgrwturcs is extended to permit certification authori- Joint signal mes can be done in any order and do not 
zation. For example, certificates may be designed to n ece ssari ly reflect approval of the other signatures, but 
allow delegation of subcenifii'jUMin, but only if particn- simply approval (or recoyMtiuu) of a ^ km man object, 
lar multiple exxngners are involved. This allows checks C oMgnatnr e requirements may, fbrexnniplr, be speci- 
and balances to be structured into a hierarchy of author- 50 fied in the cer tifi c ate in a variety of ways. One tech- 
ity so that electronic digital signatures can be used mque which may be used is to explicitly define a list of 
across organization and i nsti t u t ion a l boundaries with valid joint signers and a fist of valid counter signers, 
great confidence— both by the parties receiving the Associated with each list is the rmmber specifying the 

ni ji i M iliii y t y petf^ thft partita fl i m i li ng ttw> w ntlm r i l y tr% iw mi n i m u m wtgnrjafrrrf jrig naimea which mast he p rese n t 

the signatures. 55 in order for a r ecipie nt to recognize the signature as 

The manner in which a party B creates a certificate being fully approved. The joint signature hst may be a 

tor party A is shown in FIG. 5. As indicated at 100, A vector of hash values of each of the set erf crther public 

creates a pubtaVprtvate key pair in accordance with keys. Some specified minimum number of these keys 

conventional pubhc key signature systems and supplies must appear in certificates of other signatures applied to 

the pubhc key to B 102. Once B obtains the public key 60 any object signed by A when using this new certificate, 

provided by A for certification, it is important for B to Otherwise any recipient should not treat A's signature 

insure that the public key is actually one generated by A as valid. 

and not someone masquerading as A. In this regard, it The counter signature list is a vector of hash values of 

may be desirable for the public key generated by A to other certificates which must be used to sign any signa- 

be provided on a race to race basis. 65 ture made under the authority of this certificate. Since 

Having selected his own certificate with which to this references certificates (rather than public keys), it is 

sign A's certificate, B at 106 utilizes the certificate 108 possible to reference specific certificates which them- 

with the associated public key 110 to create a signature selves need further joint or counter signing. By select- 
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-~mg appropriate certify ^""cate of A, AY certificate packet *cona^^of'the % cfertifi- c 

to create hierarchy of counter signature requirements to cate for A 132* B's signature packet for A's certificate 
whatever level an organization feels comfortable. A 134 and finally Cs signature packet for A's certificate 
specified nnmber of cosigners is required from each 1361 

category. Tins can range from all the candidates to 5 In r e gard to Cs stgnature packet, it is noted that, in 
some subset, for eiampfr, 0, 1, 2 or 3. order for C to validly *»gn the certificate, he must select 

The set of possible co-signers may be i ndicat ed ex- one of his own certificates which grants Him sufficient 
plkxtly in a list as described here, or implicitly by sped- authority to cover what is specified in the new certifi- 
fying some quality or attribute specification which is cate for A. If C has no such certificate, then Hbimpos- 
dwrignated in each possible co-signer's certificate. 10 for him to validly sign the certificate since future 

Other field s may b e included in the certificate. For recipients would reject ms certificate as rmving insuffi- 
example, the current date and tmte which reflects the rynt authority. 

moment of tbe^ initial action of the certificate. As It is noted that Cs certificate may also require a 
indicated m FIG. 5, the complete certificate consists of counter signature by another party. If so, C forwards 
a certificate packet with includes the certificate 116 for 13 tlie oitfficate and aU associated sWn^ 
A^tte signature packet 114 of B's signature to A's fied party, e.g^ D, to counter sign Cs signature. When 
n^^«^ 9 ^*i»hu n «4 n , n r<>n«^sfi M t>. 0 ~i D receives the material he performs the same verifica- 
«J^rSrtSin^^^T?^W tk« steps as Con the new certify If hearses, 
^^^?A^fl"^!S.\ Jf? ™ then D adds his signature to the set. However, D signs 
along whenever A uses Ins «nli r ii M l r It is contem- 20 p. ■ a. .^.i ...^■in.^ IJ . mZZ 

c^forA-Forexanrp^onecerth^nnghtallowA 5££3E? £S£Z£Z 
torehabryideirifThin^wto f » 3^L ( ^^°^ case was the cer^tefor 
aumorhy Another certificate might allow author^- 'J^T^ ^ Tto 

tianto Aofcertam hinited nxmey aniounts wnhont 23 g^.y*?!,?**? "* ****** a g»- 
mpirmgatryccaigii^ tare wtoch osmrr^y another signature of the saiiie ob- 

rxzarion for larger amounts but require one or more J ^l. . c . . 

cosigiiatures. Still another might allow A to subcertify The applicaUon of jomt and/or counter agnatures 
ntW jw»r«oi*» »™-orr*m C to rKfrW^t p,r^w>y ^ can be nested to whatever depth is required, Thus, if D 
anthority Ihmtatkms and/ or co-signature spedfica- 30 to bave joint signatures, t^ this package 

tfons. should be passed to one of D*s caTwftdatr jomt signers 

Assuming that B has created a w^tifipptr for A as a PP roval °* C* 5 signature. Tins would be a joint 

shown in FIG. 5, if B requires no a wg n m then the counter signature- Similarly, in organizational hierar- 
f^rttfiont^ is complete. However, the certificate which cn * cs J* * possible that D might require counter signa- 
empowered B to create A*s cer ti fi ca te may have re- 35 turcs m wn ^ cn 0886 someone else win need to sign D*s 
quired that B have cosigners. There may be one ox more stgnature. y 
joint «flf*flt!rr r and/or M gna ti w wm^pi r^mtnt^ As explained above, the recip ie nt of a primary object 

FIG. 6 exemplifies the steps frflfcm by party C to (such as a purchase order) and its associated signatures, 
jointly certify the certificate of A. The requirement to processes the received materials to insure that the ob- 
have a joint signer would be specified in B's own certifi- 40 if 0 * * identic al to the material which existed as it was 
cate. In tins case, a transmitted object (in tins case A's signed by the owner of the public key. The process for 
new certificate) signed with B's r^rHfi^ty would be verifying the signature and for verifying that the object 
l e j ee ied by a reeipieiit if CTa jrwnt d gna t i i w w iw* aico had not been tampered with has been explained above in 
present on the object regard to FIG. 3L 

As shown in FIG. 6> if such a joint signature is re- 43 Additionally, the r ec i p i e nt needs to verify that the 
quired, a copy of B's certificate for A is sent to C who identity of the signer is correct and further that the 
must jointly sign the rmmti n » ^ 120, C then mminM signer has the proper auth orit y within his organization 
A's certificate 122 and verifies that the pubhc key of the to make the commitments implied by the received 00- 
cert ifi c ate actually belongs to A in accordance with ject The sender of the object (e.g^ the purchase order) 
process outlined in conjunction with FIG. 3. 50 has the responsibility of sending all generations of ante- 

C then *****nn~t the signed attributes and authoriza- cedent ce rtific ates and signatures (up to and wirfitrftng 
tkma set forth in the? certifieartg mrfmHn g ttw» agngnwi the meta-ccrtificate) which are needed for a recipient to 
monet ary level, trust level, etc C then, upon conclnd- perform v alidati on op e rat ions. 

ing that all the fields in B's certificate for A are appro* In v alidati ng the object and its signatures, the rectpi- 
priate, selects his own certificate with which to perform 55 ent may, for example pr o cee d as follows. First the re- 
the stgnature 126. With his own ce rtificate 128, C signs cipient insures that the primary object 150 has at least 
B's certificate of A 133 (130). Once C signs ms certifi- one signature. In the example shown in FIG. 7, the 
cate his signature appears essentially parallel with B's primary object 150 has four associated joint signatures 
signature and any other cosigners as shown at 134 and 152, 168, 180 and 200, each of which has associated 
136 of FIG. 6l Thus, it is important that C exercise as 60 certificates 151 HO, 182 and 202 respectively, 
much caution as B when approving A's certificate. Certificate 154 was made requiring joint signatures 
Once A's certificate is created no cosigner may change by the owners of certificates 170, 182 and 202, and 
the certificate for to do so would create essentially a onmter-signatures by the owners of certificates 162 and 
different object to which none of the previous signa- 166 using these specific «»rtifir*tP« The certificate 154 
tares would apply. If C docs not approve the certificate 65 itself was authorized by the owner of certificate 158 as 
he must avoid signing it, and should have a different evidenced by signature 156. 

certificate constructed and re-signed by all necessary In this example, the owner of 154 has obtained the 
parties. After C adds his joint certificate to B's certifi- necessary counter signatures 160 and 164 by the holders 
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joint-signatures 168* ISO and 200. 



Trust Value and 
Antecedent Trust Value InuocdtatE Certificate 



To provide validation for his signature 168, the 
owner of certificate 170 must include the authorization 
for his certificate Hts certificate was signed by the 5 jj * 

holder of certificate 174 (as evidenced by 171}, however o 3 

174's certificate specified that a joint signature by the 1 2 

owner of 178 was required in order to fully ratify 174's * 3 

signature 171 Thus signature 176 which was made 2 * 

sometime in the past, fulfilled all of 174's joint signature 10 •■ 

requirements *w*H thereby validated (ratified) the use of 

J70L Additionally, any monetary limitations set forth in 

Looting ttjomtsigiiatra the certificate must be observed. The money limit al- 

we learn that 183 requires counter signatures by the «>wed by a certificate must not exceed its antecedent 
holder of 186 using the specific certificate 186. The 15 Additionally a check should be made to insure that the 
holder of 182, did in feet get the coimter-^ignature 184 antecedent's expranon date is compatible whh the ante- 
by the holder of 186, However, certificate 186 requires c f dc f t>s «pttation date. By way of example only, a 
that any signature by 186 itself be countersigned by the check may be made to insure that the expiration date in 
holders of certificates 190 and 194 (usmg these respec- cve 5 v <»tificate exceeds the date of each signature 
tivecertificatesXT^ 20 **** **** m ^ , m . cases » «t™yte desirable to 

tersigned 184 as evidenced by 188 arid 192. At one fur. r^ert^ material wmch is controlled by an obsolete 
ther level we learn that certificate 194 requires any cennlcate. . , „ , . , 

signature by 194 be counter signed by the holder of In order to^ect -closed" an^tyloops (by which 
certifkate 198, which signal a series of certificates may be structured m a loop with 

Certificate 202 requn^^ 25 ^Jast member of the loop gra^ auth^ to tte 

All certifkartes must be accompained by signatures ^ * neccssar y to msm that all authority ulfc- 

«,w^.u . A, m „,h, n , j i_ ^.♦^^j^* r i *#- matery flows from recognized meta-certificates. In this 

wmcn are tnemselves autnortzea by antecedent certn> — „ ^u^i^. «r fct»«r.-«:««i ,..».t:r; m %^u 
cates. Ultimately an the aothority can be traced to a set S^i^t^^S 
..f . „i:r. -i_ Jhifi. h, fn 1„,j ,1,, i ir ,i,i, . „ f mutually certify each other will not be inadvertently 
!ff?!^?jT^ W ^ s ^fr th ° h< * ier rf 30 aUowed to incorrectly pass the validation process. 
^rr^erti^(c4-po«Bby a small f«ofrn«^- O^w^to.^xom^^^toch^Jce^Bc^ 

uficatesX Each metarcertutcate ts weu gim m m ami ens- ► . ^ * , ^ ^, ^ . , 

♦■4k^%«^J^^^ maser^ofrterations, starting at the n^ 

trflbyed to all p arties "t hroinj^ the world". certificate. At each iteration, certificates are scanned 

^reca^ examines every agtiature supphed and ^ m ^ process certificates having at least one 
verifies that each accurately signs its purported object 35 checked off antecedent would in turn be checked oft 
(whether the object * a primary object, a certificate, or The iteratkm stops wr^ no nw 
another signature) using the procedure detailed m FIG- checked off If any certificates have not been checked 
3. The recipient insures that each signature includes a ^ then these are "orphans" which should never have 
correS|>oita4ng validated certificate. been supplied. Such a tiaiismitted package would be 

If a certificate requires joint signatures, then the re- 40 rejected, 
cipient insures that the required number of these neces- Once the signatures and certificates are validated 
sary s ignatures (to the same object) are present. If the (based on the ultimate authority of the meta-cer- 
certrficate requires counter signatures, then the recipi- trficate(s)X the final step is to insure that the commit- 
ent insures that theiecraired number fr om the desig- merit inherent in the primary object is within the au- 
natedsubset are present (the counter signatures have 45 thority granted to its mimrdiatr (joint) signers. This is 
signatures as then* object). done by ^ on stdert ^g the value imputed to the primary 

All certificates are then examined. A check is made object with the certificates of its signers, 
for the special meta-certificate which has no signature Ahhnn gh th* nyg of n ntft^<r r* ir r^T nwrnw that all 
but which is universally known and trusted and a copy authority ultimately flows from a trusted source and 
of which is already stored in the recipient's computer. If 50 provides pr ot ection, thr prrirTtrt mvpntkm is not frmitpH . 
a certificate b received which claims to be the meta-cer- to a i^ t ifi <M i ^ m methodology which necessarily in- 
tificate hot which is not equal to mat already known to crudes a single meta-certifier. On the other Hand, it is 
and accepted by the r ecip i ent, then a rejection is waned contemplated by the p re sen t invention to allow for the 
If me rneta-certificate is properly recognized, then the use of multiple meta-certmers. These should be certifi- 
vafidatkm process c ontinu es, 55 cates governed by entirely independent sources possi- 

A dd nio nalry, a check is made to insure that any other bry reflecting the apex of entirely different authorizing 
certificate besides die metarcerttficate has at least one hier ar c h ies (evg^ the go ve rnmental sector versus the 
signature. As noted above, a check is made to insure private sector). 

that all necessary carugiut lures for all prrvntrd objects Another use of multiple meta-certifiers could be to 
are present. Additio nally, a check is made to deter mine 60 avoid concentrating full meta*«ertification responsibil- 
that antecedent certificates grant sufficient authority to hy with one group. For example, it might be uncomfort- 
the subcertzficate signers to permit them to validly sign able to know that there is a single entity winch could in 
the certificate. theory create forgeries on behalf of anyone else by 

In this regard, the trust value in the certificate must creating false certificates, Tins concern may be allevi- 
be consistent with the antecedent (Le^ the certificate of 65 ated if the racta-certffication authority were distributed 
its signers). By way of example only, the following trust among different trusted meta-certifiers. Each meta-cer- 
field combinations are valid (using the example spec** tifier would operate completely independently but each 
fled earlier). certificate would specifically require the others as joint 
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. signers. This .would essentially diminate the.possibility ^ , , : *,V7. A method according to claim 1,* further including- 
that isolated corruption within a single organization the step of applying a hashing function to at least a 
would compromise the system. For example; any orga- portion of the message to be transmitted to form a pre- 
mzatum that wished to be certified would need to have signatnre hash; and wherein said digitally signing step 
their own high level master certificate corroborated by 5 mrmrips the step of processing grid pre«gTOitmnp Wh 
each separate entity. Large organizations may likewise with the signer's private key to form said digital signa- 
wish to structure their own master certificates to be tare. 

constructed so as to require joint signatures in order to & A method according to claim 7, farther including 
provide multiple safeguards against the danger of iso- the step of forming a digital signatnre packet compris- 
lated corruption within the organization. 10 mg the digital signature and a representation of said at 

While the invention has been described in connection least a portion of the message to be transmitted, 
with what is presently considered to be the most practi- 9. A method according to claim 1, wherein said an- 
cal and preferred embodiment, it is to be understood thorizing certificate incfadf9 digital fields defining the 
that the invention is not to be iwmt^ to the disclosed cosjgnatore requirements which must accompany the 
embodimentt but on the contrary, is fntmded to cover ^ signer's in order for the signer's signatnre to 

various modifications and equivalent arrangements in- be treated as prop er l y authorized, 
eluded within the spirit and scope of the appended 10. A method according to rfatm 9, wherein said 
claims. digital fields doming co-signature requirements set 

I claim: forth a required digital signature by a specified third 

1. In a communication system having a plurality of ^ party indicating a pp ro val of the signer's signature to 
terminal devices coupled to a channel over which users thereby define a counter signatnre r e quir ement 
of said terminal devices may exchange messages, at least 11. A method according to chum 10, wherein the 
some users having a public key and an associated key, third party gn nnt w rngiw hy digitally gj gmng th*> signer^ 
an hnproyed method for managing authority by digi- digital signature. 

tally signing and certifying a message to be tra n sm i t t e d 12. A method according to claim 9, wherein the 
to an independent recipient comprising the steps ok cosignarure requirements include a digital field specify- 
formnlatmg at least a portion of a digital message; ing at least one other digital signature which is required 
digitally signing at least said portion of said message; to appear in the digital message thereby defimng a joint 

and signal i tie requirement, 

including within said message an authorizing digital - 13. A method according to claim 1, wherein said 

certificate having a r^urahty of digital fields ere- a i illwHrnng certificate includes at least one digital field 

ated by a certifier, said authorizing certificate being defining Ktmfntinfw as tp the authority granted by the 

created by the steps of: certificate, 
specifying by the certifier in at least orje of said digital 35 14> A method according to claim 1, wherein said 

fields, the authority which is vested in the certifier authorizing <*i tifi<^ defines the plurality of the 

and which has been delegated to the signer of said signer. 

me mgr , by including < uifTW - ii »n i digital tnfi w nmiii m 15. A method accor din g to claim 13, farther includ- 
to enable said independent recipient of said mes- ing the step of specifying a monetary Kmit for the signer 
sage to verify, be electronically analyzing said 40 in a digital field in ««td certificate. 
me ssag e in accordance with a predetermined vah- 16. A method accor din g to claim h wherein said 
dation algorithm, that the authority exercised by authorizing certificate at least one digital field 

the signer in signing the content of said message defining a trust level inolcative of the degree of respon- 
created by the signer was properly erercised by the sflritity delegated to the signer by the certifier, 
signer in accordance with the authority delegated 45 17. A "fttaxf according to dahn 1, wherein said 
by the certifier; and identifying step mcfndes the step of specifying in digital 

identifying the certifier who has created the signer's fields in said authorizing certificate a hierarchy of certif- 
certificate in other of said digital fields by inemding iratw^ wh— »hy» wJ^hi ^♦^yw*f^^e^mf l ec tr p iii - 
sirfftcTent digital information for said r ec ip ie nt of caDy verify in accordance with a predetermined valida- 
the message to determine by dcctimiicaDy anaryz- so uon algorithm the authority of the signer based upon an 
mg «rid nn^^ag^ that th+ rrrtittrr ha* btm granted analysis of the signed message, 
the authority to grant said delegated authority. 1& A method accor din g to claim 1* wh ere in said step 

2» A method aoxwding to claim 1, further including «f creating an u nit in g fr y i ng ^»r tifirgtt»> wyf nrif f th*> ^trp^ 
the step of providing at least one digital field in said of creating a certificate by a catifia, whereby the certi- 
message identifying the nature of the digital data being 55 fier signs the certificate by using the priv ate key associ- 
t rammitted . ated with one of the certifier's own certificates. 

3. A method according to claim 2, wherein the nature 19. A method according to claim 1, including the step 
of the digital data is identified as being a digital signa- of transmitting a plurality of certificates, and wherein at 
tare* least one of the transmitted cert ifi ca t es is a meta-certifi- 

4. A method according to claim 2, wherein the nature 60 cate, where a meta-certificate is a digital authorizing 
of the digital data is i d entified as being a certificate, certificate from which authority flows which originates 

5. A method according to claim 2, wherein the nature from a trusted source commonly known to both the 
of the digital data is identifi e d as being a business docu- signer and prospective recipients. 

meat 20. In a cornrnnrttcattons system having a plurality of 

6. A method according to claim 1, wherein the for- 65 terminal devices coupled to a communications channel 
mulating step includes the step of providing a digital over which users of said terminAl rieviep* may rnhnngp 
field allowing the user to insert a predetermined com- messages, at least some of said users having a public key 
ment regarding the data being transmitted. and an "«"fiatfd private key, an improved method of 
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disitallY suming and certifying a message to be transmit- 29. A method according to claim 28, wherem the 

tea for ««m«gnig antbonty co mp ris in g the steps of: nature of the digital data is identified as being a digital 

formulating at least a portion of a digital message; signature. 

digitally signing at least said portion of said message; 30. A method according to claim 28, wherein the 

ww^nHtng within said message an authorizing digital 3 nature of the digital data is identified as being a digital 

certificate having a plurality of digital fields ere- certificate. 

ated for the signer by a certifier, said authorizing 31. A method according to claim 20, farther includ- 

certificate being created by the steps of: ing the step of applying a hashing function to at least a 

specifying by die certifier in at least one of said digital portion of the message to be tranjHnitted to form a pre- 

fields at least one party whose digital signature, in !0 signature hash; and wherein said digitally signing step 

addition to the signer's signature, is required to be mcrndes the step of processing said pceriguature hash 

Ua i wiml l nl with said message in order Cor said with the signer's private key to form said digital signa- 

signer's signature to be treated as properly antho- ture. 

rized; and 32. A method according to claim 20, wherem said 

identifying the c e tUfi c t who has created the signer^ 15 authorizing certificate includes at least one digital field 

certificate in other of said digital fields by mrmrirng defining the r e quir ement of at least one digital signat u r e 

sufficient digital information to maWr the rrcipif nt by at least one third party indicating approval of the 

of said message to d e te r min e by electronically ana- sender's s ig natur e, thereby defining a co unte r si gnature 

ryzing said message that the certifier has been r e quir ement, wherein the third party countersigns by 

granted the authority to certify the signer's certifi- digitally signing the sender's digital signature, 

cate. 33. A method according to claim 20, wherem said 

2L A method according to claim 20, wherem said authorizing certificate includes at least one digital field 

certificate includes digital fields representative of a list specifying at least one additional party required to sign 

of each of the public keys of the parties at least one of ^ said portion of the digital message to thereby define a 

which is required to cosign any message signed with the joint signature requirement 

authority of the certificate. 34. A method accor din g to claim 20, wherem said 

22. A method accor din g to claim 20, wherem said auth orizing certificate includes at least one digital field 
certificate includes digital fields representative of a list defining Kmftntirtn* n* to th* a mt imiiy granted hy ttw» 
of public keys of the parties at least one of which may be ^ certificate. 

r e quir ed to sign any message created under the author- 35. A method according to claim 34, wherem said 

ity of said certificate and a field defining the m i nimum hrrm^tiom includes a monetary limit for the signer, 

member of such signatures which must appear in said 36. A method according to claim 20, wherem said 

mwwagt in order tor the signer's signature to be treated authorizing certificate i nc lu des at least one digital field 

as properly authorized. ^ indicative of the degree of responsftffity d e l e ga t ed to 

23. A method according to claim 20, wherem said the signer by the certifier. 

certificate includes digital fields r e pr e senta tive of a hst 37. A method according to claim 36, wherein said at 

of each of the certificate s of the pa r ties at least one of least one field defines a trust level indicating the degree 

which is required to sign any message created under the of responsibility the certifier is willing to assume for 

authority of said certificate. snbeertification done by the signer. 

24. A method according to claim 20, including the 38. A method according to claim 20, wherem said 
step of tnrJmftng Higitni fjpMg in gain megangf* associat- authorizing certificate mchTdff? at least one field identi- 

m g with ftarh di g ital <agT*a firry w caiH mpgaagi* m unttww tying the Signer. 

rizing certificate grn e r a t rd by a c e i tifying party winch 39. A method according to claim 20 further including 

specifies the authority which has been granted to the 43 the step of transm i ttin g a plurality of- certificates, and 

messagr sender. wherem at least one of the transmitted certificates is a 

25. A method according to claim 21, further mcrod- metfrcertificate where a meta^rrtffiratr is a digital 
ing the steps of transmitting said message mdudrng said . authorizing certificate from winch all authority flows, 
cTi li l katc s and verifying at the r ecipie n t^ terminal said nieta-certificate origmatmg from a trusted source 
device each »gii»*m i* through the use of at least one 30 commonly known to both the signer and the reci pi e nt , 
public key. 40. A method of digitally signing and certifying a 

26. A method accor di ng to claim 20, wherem said sender's message to enable a recipient to determine that 
step of inclnding an authorizing certificate includes the the send-r is prop er ly authorized co mpri si ng the steps 
step of < fffinmg a ' hierarchial ladd er of . certific ates of: 

within itigitnl field8 in transmitted message* 33 ifyin g m nt teftgfr m» digital firid in an authorising 

whereby a recipient of the message can electronically digital certificate created by a certifier the dele- 

* verify in accordance with a predetermined validation gated authority which has been granted to the 

algorithm the authority of the sender based upon an sender, said anthorizing certificate including a pin- 

analysis of the signed message rality of digital fields; 

27. A method according to claim 20, further incmd- 60 identifying in other of said digital fields in said certifi- 
ing the step of creating an authorizing certificate by a cate the identity of the certifier by mclndmg sufrV 
certifier, wherem the certifier creates a certificate by cient digital information for said recipient to deter- 
signmg the certificate by using the private key associ- mine that the certifier has been granted the author- 
ates with one of the certifier's own certificates ity to grant the delegated authority; 

28. A method according to claim 20, further inctud- 63 transmitting a message to said recipient having at 
ing the step of providing at least one field in said mes- least one digital signature, said message inchiding 
sage identifying the nature of the digital data being said digital certificate which specifies the authority 
transmit I rd which has been granted to the sender; 
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• receiving said message by said recipient and validat- 
ing the identity of the sender by electronically 
analyzing the at least one digital signature; and 
detenmning the authority winch has been granted to 
the sender by analyzing die delegated authority 
information specified in said authorizing certificate 
and determining by dectromcally analyzing said 
digital fields that said certifier has been granted the 
authority to grant said delegated authority. 

41. A method according to claim 40, wherein said at 
least one digital signature is created by e*imjMitm g a 

prgrignatme hash anA gatri gtop rtf v»KH*Hwg th*> tH**ntity 

of the sender mrfnHing the step of recomputing said 
presignature hash with the received message, 
encrypting the signature to be verified, comparing 
the recomputed presignatnre hash and said en- 
crypted signature to be verified; and 
rejecting said signature if dim 

42. A method acco rdin g to claim 41, wherein g**d 
encrypting operation is performed with the sender's 
public encrypting key. 

43. A method according to claim 40, further incmd- 
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ing the step of electronically verifying by a predeter 

mined verification algorithm that the received message 23 signer and die recipient 
is identical to the message as it was initially signed. 



' 44. 'A metlKKl according to claim "40; turflier includ- 
ing the steps of : 
specifying in digital fields in said message at least one 
digital signature in addition to the signer's signa- 
ture required to be transmitted; 
transmitting said at least one digital signature re- 
quired to be transmitted and at least one associated 

electronically examining, upon receipt of said mes- 
sage, aH received digital certifies 
and 

detenmning in accordance with a predetermined 
validation algorithm that all necessary signatures 
are present and that the sender is properly autho- 
rized based on data contained in said certificates. 

45. A method according to claim 40, wherein said 
authorizing ryrttficate includes at least one field defin- 
ing the identity of die signer. 

46. A method according to claim 40, further includ- 
ing transmitting a plurality of certificates and wherein 
at least one of die transmitted certificates is a meta-cer- 
ti ficat e, where a meta-certificate is a digital authorizing 
certificate from which authority flows winch originates 
from a trusted source commonly known to both the 
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UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION ^ 

PATENT MO. : 4,868,877 

DATED : September 19, 1989 

INVENTORY) : Addison M. Fischer 

It is certified that error appear* in the above-identified patent and that said Letters Patent is hereby 
corrected as shown below: 

Column 19, line 23, after "some" insert — of said—; 

after "associated" insert — private—; 

Column 19, line 39, delete "be" and insert —by—. 

Column 20, line 23, delete "signer, s" and insert —signer's—; 

line 35, delete "plurality" and insert —identity—. 

Column 21, line 15, delete "signer, s" and insert — signer's—; 

Column 21, line 32, delete "member" and insert —number—; 

Column 21, line 49, delete "recipients" and insert —recipient's—. 

Column 22, line 53, delete "send-r" and insert —sender—. 



Signed and Sealed this 
Twentieth Day of August, 1991 

Attest: 



Attesting Officer 



HARRY F. MANBECX. JR. 
Comtntsstotttr of ftntnts ottd ThadtmaHis 



